UPDATED: Wednesday, April 28, 2010: How to remove the ICPP Copyright Violation Alert ransomware
A currently ongoing ransomware campaign is using a novel approach to extort money from end users whose PCs have been locked down.
By pretending to be the fake ICPP Foundation (icpp-online.com), the ransomware locks down the user's desktop issuing a "Copyright violation: copyrighted content detected" message, which lists torrent files found on the infected PC, and forces the user to pay $400 for the copyright holder's fine, emphasizing on the fact that "the maximum penalties can be five years in prison and up to $250,000 in fines.
More details on the campaign:
Upon execution the ransomware will change the Desktop's wallpaper to the "Warning! Piracy detected!" background.
It will then make sure the warnings appear every time the end user restarts PCs. In between, it will lock down the end user's Desktop, featuring the "Copyright violation: copyrighted content detected" window:
The window attempts to trick the end user into believing that:
Attempts to get rid of it result in the following message:
Gullible end users who fall victim to the scam, will then be asked to pay $399.85 for a "Legal license purchase", "Copyright holder fine", a "Copyright protection organization fee for the use of software tracking illegal file downloads" and a "Traffic fee".
Basically, you've got a profit margin driven ransomware business model, that's ironically charging you a fee for the development of ransomware "software" itself. The cybercriminals behind the campaign are also aware of the concept of localization. The ransomware will adapt to each user's PC, and issue the same messages in 10 different languages - Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish.
The ransomware is currently detected as Win32/Adware.Antipiracy and Rogue:W32/DotTorrent.A.