If on your computer you come across a screen like the one below that indicates that the computer has been locked for security reasons, in reality you have been infected with a malware known as Urausy:
Police virus in Uruguayan version
It's about a ransomware who blocks the team's screen by posing as the police to deceive the victims and convince them to pay an alleged fine of $ 100.
In this example they use the image of the President of Uruguay, in addition to the flag and other elements typical of the country. They also show some computer data such as IP, operating system and username in order to make the matter more credible.
Many users believe the message, others do not know what to do or cannot delete it, and end up paying to quickly unlock their systems. This technique based on social engineering is allowing cybercriminals to fill their pockets with money even more than with fake antivirus.
It is worth mentioning that it is not a malware designed exclusively for Uruguay, in fact it is only a template or design adapted for any country. This particular format that includes photos of the presidents operates with more than 30 countries.
The above are examples from Ecuador, Mexico and Spain … you can see more here.
Have they really infected people in Uruguay?
This ransomware works under an affiliation system for cyber criminals that I once mentioned on the blog. Basically there are two parties, who develop the malware and manage the affiliate platform and who are responsible for spreading it to earn a commission.
The following capture was published on the security blog Malware don't need Coffee, it is a message left in a Russian forum where they promote the affiliate system and mention Uruguay as an example saying that with a thousand infections carried out (in February 2013 ) obtained 2,500 dollars of earnings:
1 UY 2.5 $
That is to say that at least 25 people ended up paying and believe me that a thousand infections is nothing if they are using crimewares to spread it.
In the following screenshot you can see the administration panel of an affiliated cyber criminal, the Installs column shows the number of installations or infections that have been carried out for the different countries, on the right the money obtained:
How to remove this ransomware?
The ideal when encountering a computer blocked by this kind of malware is to turn it off and perform an analysis from the outside with an antivirus on CD or USB key, it would also be good to perform a security backup with the important information accessing the system with a Live-CD.
The idea is to prevent malware from loading and messing with system files, as some simply block Windows or screen from loading without damaging personal documents, but more aggressive others have the ability to encrypt files to such an extent. point that the only way to recover them is paying a ransom (hence the name ransom which means kidnapping or ransom in Spanish).
Now, taking this into account … in addition to offline antivirus there is also a program called PoliFix developed by InfoSpyware that allows you to remove these Urausy variants Accessing from Safe or Safe Mode. It is free and easy to use, in the previous link you will find the instructions.
Variants that do not allow access to Safe Mode:
Some new versions of the police virus do not allow access to safe mode and in the normal version they block the screen by closing all the programs that are trying to open, including the Task Manager, so the virus process cannot be searched to finish it either.
If you find yourself in this situation, you can try the following from the Start Menu, since in some variants it is active (you can see it by pressing the Windows key):
Just search for a strange entry in Startup and delete it, then restart your computer. It is possible that this deleted entry will reappear, but in some variants this method is sufficient to be able to access Windows normally and finish eliminating the virus definitively by performing a full scan with the updated antivirus.
If this method does not work for you, the option you have left is to use the antivirus on CD.
Finally, I also recommend you to take into account the use of Anti Ransom, a new security application developed by Yago from Security by Default to detect the presence of these malicious programs that encrypt documents and can cause a significant loss of information.