Wednesday, 28 March 2012

Remove 'PRS for Music' Scam Ransomware (Uninstall Guide)

PRS for Music Your computer has been locked is a scam (ransomware) that tries to extort money from unsuspecting computer users. Earlier this month, Performing Right Society issued a statement in which they clarified that the virus has nothing to do with PRS for Music and that they are investigating this issue. Now, why the hell they should care so much about this malware? Well, probably because cyber crooks use their logo, in association with Metropolitan police apparently, to make it the most genuine looking scam you've seen in a long time. This scam is a particularly nasty one and unfortunately very widespread at the moment. So, what does this ransomware do exactly? Once installed, it hijacks your Desktop with a rather professionally done fullscreen warning claiming to be from PRS for Music and Metropolitan Police. Please see the image below:

The warning states that illegally downloaded music files have been found on your computer and for this reason your computer has been locked.
PRS for Music

Your computer has been locked

Illegally downloaded music pieces (pirated) have been located on your computer. By downloading, those music pieces were reproduced, thereby involving a criminal offence under Section 106 of the Copyright Act. ....
I don't know much about the copyright laws in the United Kingdom but even if there is such an act you're not violating it, so don't panic. To further scare you into thinking that PRS for Music warning is a real deal, cyber crooks use Geo IP functions to determine your IP address and host name. It actually calls the command and control server before displaying the actual warning. It is worth mentioning that cyber crooks target computer users in other countries as well.
  • Gema and GVU - Germany
  • Sacem - France
  • Buma Stemra - The Netherlands
  • Suisa - Switzerland
  • AKM - Austria

All the organization in Europe protect the interest of songwriters, composers, and publishers.

When running, PRS for Music scam/ransomware claims that the illegally obtained music files were encrypted and moved to protected folder. This is not true. Although, this ransomware might be a bear to remove, it's not very sophisticated and even has some critical bugs that I will show you later can be used to bypass the restrictions in a few simple steps. Further more, PRS for Music ransomware claims that you need to pay £50 to avoid prosecution and imprisonment. DO NOT GIVE THESE SCAMMERS YOUR MONEY. First of all, you will simply lose your money and you probably won't able to get them back because payments must be made via PaySafecard, PayPoint or something along those lines. They accept anonymous payments. Secondly, they won't unlock your computer.

You should also know that this ransomware cannot steal personally identifiable or sensitive information. It cannot delete any of your files either. Don't worry, you haven't lost your files, etc. You just need to remove PRS for Music Your from your computer. That's it. If you're not good with computers, you can simply take your computer to a local repair store. It may cost you around $200 to get your computer back up and running again. Or you can try to remove this scam manually yourself. Please follow the removal instructions below.

How to prevent receiving PRS for Music scam/ransomware?

First, update your software, especially Adobe, Java and your web browsers. Use up-to-date antivirus software and additional firewall. As far as I know, cyber crooks use BlackHole, by far the most widely used exploit pack, to distribute this ransomware. Simply visiting infected websites may get you into trouble. Please watch the video below showing how cyber crooks armed with the latest version of BlackHole 1.2.3 can easily infect your computer if you're running outdated version of Java. The exploit targets a bug in Java (CVE-20120-0507).

Thanks to Kafeineify for making this video.

PRS for Music scam stays active in Safe Mode, Safe Mode with Networking and even in Safe Mode with Command Prompt. However, once you rebooted your PC in Safe Mode with Command Prompt you have a few seconds to open Windows explorer. If you are lucky enough you might be able to restore your computer to a previous date when your computer was virus free.

PRS for Music removal instructions (System Restore):

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.

2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the PRS for Music ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your PC into an earlier day.

Alternate PRS for Music ransomware removal using Print to file option:

A blogger named Thice wrote a great removal guide that can be used to remove PRS for Music scam without a need to reboot your computer in Safe Mode. Although, the removal guide was originally created to help users to remove Buma Stemra ransomware, it should work for PRS for Music as well. Basically, it's the same ransomware targeting computer users in different countries. Link to remove guide:

To learn more about ransomware, please read Remove Trojan.Ransomware (Uninstall Guide).

Tell your friends:

No comments:

Post a Comment