.icp Files Virus - How to Remove It

.icp Files Virus – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created in order to best explain what is the .icp file ransomware and how you can remove it from your computer plus how you can try to restore files, encrypted by it.

The .icp file ransomware is the type of virus which aims to encrypt the files on the computers it has already infected and then leave behind a ransom note file, in which it extorts the owner of the infected computer to pay ransom to get the files to be decrypted and work again. The ransomware goes through great extents to slither in Windows computers unnoticed and once there, it performs series of malicious activities, that ultimately end up with the victimised PC having it’s files encoded. If your computer has been recently infected by the .icp file ransomware, we would strongly recommend that you read this article thoroughly.

Threat Summary

Name.icp Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the computers infected by it and then may extort victims to pay ransom to get their files to work again.
SymptomsFiles have the .icp file extension added to them. A ransom note, called “Restore_ICPICP_Files.txt” is also dropped, containing the virus’s extortionist message.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .icp Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .icp Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.icp Files Virus – Distribution

To infect computers, the .icp ransomware may target them via e-mail. The way this scheme works is that cyber-criminals may hack a website and take away all of the user e-mails that are registered. These e-mail addresses may be used as the targets for the attack and they may receive spam e-mail messages by the criminals who are behind the .icp file ransomware.

The e-mails may contain a convincing message that the victims must either click on a URL or open an e-mail attachment, the outcome of which could be an infection with the .icp virus. Such attachments may often pretend to be:

  • Invoices.
  • Receipts.
  • Important documents from banks.
  • Closed account reports.
  • Revoked purchase.
  • Revoked visa.

The main idea is to get users to download fake documents, which may infect users by simply being opened or by getting the user to open them and enable their content.

Another strategy used in the infection process of the .icp file ransowmare is to spread the virus by uploading it’s infection files on multiple different websites. There, the files may usually pretend to be what the user is looking for and since they are usually compromised or fake sites, they can turn out to appear as a search result in Google, that seems legitimate. The main file types that often end up to be ransomware are:

  • Fake setups.
  • Fake portable versions of programs.
  • Key generators.
  • Patches.
  • License Activators.

In some cases, such sites may also cause automatic redirects that may infect victims via malicious JavaScript code execution.

.icp Ransomware – More Information

When the .icp file ransomware conducts an infection, the virus may drop its modules (virus files) on the affecte computer. There, they may reside, pretending to be completely legitimate type of files and they may even imitate programs, like Notepad, Photoshop, etc. The files may also have completely random file names, so that victims cannot be able to easily locate them. These files are usually uploaded in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %System Drive%
  • %Windows%

Among the files dropped on victimised machines, the .icp virus also creates its ransom note file, called Restore_ICPICP_Files.txt. The note has the following extortionist message:

Do not rename the ciphered files
Do not try to decrypt your data with the help of the third-party software, it can cause constant data loss.
If you, your programmers or your friends help you to decrypt your files – it can lead to data loss.
You do not joke with files.
My email decrypter02@cumallover.me,piterpen02@keemail.me

As soon as the ransom note is dropped on infected computers, the .icp virus may also engage in several other activities as well, such as:

  • Create mutexes.Texttt
  • Check if it’s running on a virtual drive or actual machine.
  • Obtain your IP and Mac address.
  • Check your system preferred language.
  • Check your antivirus and firewall settings.
  • Obtain administrator rights and Read & Write permissions.

As soon as this is done, the .icp virus may begin to create registy entries in the following Windows Registry Editor sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, the .icp file ransomware may also begin to delete the backed up files and shadow copies on the victimized machines. To do this, the .icp ransomware may execute the following Windows Command Prompts as an administrator:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.icp Ransomware – Encryption

To encrypt files on computers it has compromised, .icp ransomware may run a very cleverly designed code, that skips encoding files in the system directories of Windows and the Drivers directories that may damage your OS. The .icp ransomware may use a very advanced encryption, which usually takes decades to break, using a conventional computer, if you do not know the decryption key. The virus encrypts files by either creating copies and modifying them or directly changing bytes of data on the original files. The files that could be encrypted by .icp ransomware could end up to be the following:

  • Documents.
  • Videos.
  • Images.
  • Archives.
  • Virtual drive files.
  • Audio files.

After the encryption, the files have the .icp file extension and they no longer look the same:

Remove .icp Files Virus and Try Restoring Files

If you want to remove the .icp file ransomware, we would strongly recommend that you do a fresh backup of your files beforehand. This will help you minimise the risk of damaging your files during the removal.

To remove the .icp file ransowmare, we recommend that you follow the removal instructions underneath this article. They are divided in manual as well as automatic removal steps. If manual removal does not seem to be effective, then we strongly advise that you try scanning your computer with an advanced anti-malware software as this type of removal is automatic and highly effective, plus it will save you tons of time in having to manually look for the malicious files and deleting them.

If you want to try and restore files, encrypted by the .icp file ransomware, we would strongly recommend that you see the alternative methods for file recovery in the “Try to Restore” step below. They may come with no full guarantee to be able to get all your files to work, but with their aid, you could be able to recover at least some of your files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share