Cyber Police Ransomware Virus - How to remove

Once again, we have a ransomware virus based on Hidden Tear project. It’s only already second ransomware infection based on this open-source project this week, as we have discussed jHash virus yesterday.

This particular ransomware infection employs AES cryptography, which is extremely strong and hard to decrypt. If your computer is affected by Cyber Police ransomware, you are probably not able to open any of your personal files, even though you can still use the computer itself. In this article we will provide you with detailed information how to eliminate Cyber Police ransomware virus and restore your encrypted files, so stick with us till the end.

Cyber Police locker features

Cyber Police virus was first discovered by  cyber security researcher Lawrence Abrams and published on Twitter post about “another Hidden Tear ransomware“. Actually, it was named as Police locker because it uses a screen locker image of Cyber Police. However, the files-locking extension used by this virus has nothing to do with cyber police, because it appends .locked extension, the same as jCandy virus.

NIn case you are wondering how this infection managed to sneak into your system, there are two most possible scenarios – it came bundled to some kind of free software or it was sent to you as an attachment to spam email. Either way, once inside of your computer, Cyber Police virus will automatically begin scanning your computer for files and eventually encrypting them.

During this process, an extension ‘.locked’ will be appended to your files and from that point you won’t be able to open any of them because they will be encrypted. After the process is over, your desktop screensaver will be automatically changed to Cyber Police image and a new ‘READ_IT.txt’ file will be placed on your desktop.

Original text of READ_IT.txt file:

YOUR COMPUTER IS BLOCKED BY CYBER POLICE FOR UNLICENSED SOFTWARE’S USAGE.
Your documents, photos, databases and other important files have been encrypted
with strong encryption and unique key, generated for this computer. The private decryption
key is stored on a secret internet server and nobody can decrypt your files until you will
pay fine and then obtain the private key. HOW TO PAY: Go to http://www.localbitcoins.com and
buy Bitcoins worth of 100$ with your favorite payment method. Then through your account, send
Bitcoins worth about 100$ to our Bitcoin address: 1NiGZiFPRqGdxB7ZpbcVsRUVqLJ2SjLsuM and indicate
your email to receive the decryption key via your email

As you can see, you are ordered to pay $100 using Bitcoins. Even though $100 might look like not that much, we still do not recommend to pay the ransom. Cyber criminals distributing malware often tend to ignore users after the ransom is paid, thus making the payment does not guarantee that you will receive decryptor.

Besides that, there are some signs that this ransomware can be also scamming its’ victims. First of all, we do not know whether Cyber Police virus creates unique id to recognise a computer or not. Also, there is no button or email address which would allow users to contact cyber criminals. They also try to scare users by stating that they have been punished by cyber police for using unlicensed software, instead of revealing the fact that computer has been infected and encrypted in order to lure money.

Removing Cyber Police virus

We have tested Cyber Police virus with VirusTotal engine and 43 out of 68 anti-malware tools identified it as a ransomware or trojan infection. That means you can use any of most popular anti-malware programs to remove Cyber Police virus from your computer. We suggest to go with Spyhunter – both of those applications proved to be extremely efficient when it comes to dealing with malware like this.

Speaking of your locked files – free decryptor for Cyber Police ransomware is not available right now, but we will update this post as soon as one is out. For now, you can only restore your files from a backup copy, if you have one. Please follow this system restore tutorial to do that.

How to recover Cyber Police Ransomware Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Cyber Police Locker Virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Cyber Police Ransomware Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Cyber Police Locker Virus. You can check other tools here.  

Step 3. Restore Cyber Police Ransomware Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Cyber Police Locker Virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Cyber Police Ransomware Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal