The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.
Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.
This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.
What is the FBI Virus?
The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.
The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.
Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.
How the FBI Virus Spread
The original FBI virus spread through many of the same infection techniques used by malware today. These included:
- Exploit kits that delivered ransomware when a victim visited an infected website
- Malicious email attachments disguised as invoices or notices
- Drive by downloads from compromised sites and ads
- Fake software updates that installed ransomware instead of legitimate updates
- Bundled installers combined with pirated software or fake media players
Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.
Symptoms of the FBI Virus
Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:
- A full screen window displaying an FBI message
- Loss of access to the desktop
- Keyboard shortcuts disabled
- Webcam activates without permission
- New browser tabs forcing an FBI warning
- Pop ups claiming your device is under investigation
- Unexpected redirects to law enforcement themed pages
If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.
Modern Variants and Related Threats
Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:
- FBI browser lockers that freeze a browser tab with a fake FBI warning
- FBI phone scams where scammers call victims pretending to be agents
- FBI email scams that threaten legal action unless payment is made
- Mobile ransomware on Android that locks the screen with FBI logos
- Fake security alerts that redirect users to tech support scams
These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.
Remove the FBI Virus with Malwarebytes (Recommended)
The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.
Follow these steps to remove the FBI virus using Malwarebytes:
- Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.
- Follow the on screen instructions to install Malwarebytes on your Windows device.
- Select whether you are installing Malwarebytes for personal or business use and click Next.
- You may be offered Malwarebytes Browser Guard. You can add it or skip this step.
- Once installation is complete, open Malwarebytes and click Get Started.
- If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.
- From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.
- Wait for the scan to complete. This may take several minutes.
- When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.
- After rebooting, Malwarebytes may run additional checks to confirm your system is clean.
Manual Removal for Windows
If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.
Step 1. Uninstall suspicious programs
- Right click Start and select Installed apps or Apps and Features.
- Sort by install date to locate recent additions.
- Uninstall programs you do not recognize or installed around the time the lock screen appeared.
Step 2. Remove browser notifications from fake FBI sites
- Chrome: chrome://settings/content/notifications
- Edge: Settings > Cookies and site permissions > Notifications
- Firefox: Settings > Privacy and Security > Permissions
Step 3. Remove unwanted browser extensions
- Chrome: chrome://extensions
- Edge: Settings > Extensions
- Firefox: about:addons
Step 4. Restore your default search engine
Restore Google, DuckDuckGo, or your preferred provider.
Step 5. Reset browser settings if symptoms continue
- Chrome: chrome://settings/reset
- Edge: Settings > Reset settings
- Firefox: Help > More Troubleshooting Information > Refresh Firefox
Step 6. Clear cookies and site data
Remove cached FBI scam pages and redirects by clearing cookies and browsing data.
Step 7. Delete temporary files
Remove temporary files that may contain scripts or installers.
Advanced Checks for Persistent Issues
If you still see warnings or redirects, perform these advanced checks:
Check browser shortcuts
Right click your browser shortcut and ensure the Target field only contains the browser executable path.
Check Windows hosts file
Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.
Check proxy and DNS settings
Ensure no unexpected proxies or DNS servers are configured.
Check Chrome policies
Visit chrome://policy to see if malware has enforced settings.
Review Task Scheduler
Look for tasks that launch unknown executables.
For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.
The easiest way around the program starting up is to completely remove Internet access to your computer. Tried removing the files manually, but it sucks on Windows 7. Easier to just do a system restore. Your computer manually sets a restore point pretty often (mine was done at noon today and another one was done 4 days ago).
If you do a system restore, would you lose anything like progress made on a written document or something, or does it only restore files, and leaves anything manually saved?
Followed the steps for safe mode with command. It worked great. I was able to restore to another date. Thank you
Thank you o so much for your help… Saved me 200 bucks
safe mode w/netowking , run new version of Malwarebytes and let remove infected files / reboot and istall 2013 AVG , scan , you should be good to good.
Hi Sean,
Thanks a lot for the solution.System restore worked for me.But my doubt is,does system restore mean that the malware/Virus is removed from the laptop?
Currently am scanning with Malwarebytes (After performing system restore)).It is showing Objects detected :30 …will update the complete status once it completes the scan.are these 30 objects related to pre existing virus or are they related to FBI mypack? is there any way to know this?
i tried scanning using mbam2.exe(not sure if this is same as Malwarebytes).although i got a popup saying 12 objects/trojans have been removed, issue still existed for me.
On doing system restore i was able to restore the system back to old state. what am not sure is if the virus is completely removed or not.
Please let me know your thoughts.
Thanks
Sud
Hi Sean,
Thanks a lot for the solution.System restore worked for me.But my doubt is,does system restore mean that the malware/Virus is removed from the laptop?
Currently am scanning with Malwarebytes (After performing system restore)).It is showing Objects detected :30 …will update the complete status once it completes the scan.are these 30 objects related to pre existing virus or are they related to FBI mypack? is there any way to know this?
I found if you remove the shortcut from the start up folder the computer won’t lock up but I can’t get the Internet to work now. Thanks to this helpful form I now know what it is now and now to kill the scam and everything with it.
How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Information And Removal Options http://t.co/s5hS3nl4
RT @rocketwebshow: RT @rocketwebshow: Readers, what my laptop got hit with this morning is called the FBI Moneypack virus and its ransomware. Info on link. …
Just do a system restore!!!
Thanks to this post, it helped me to get rid of this fraud virus FBI scam.
Thank you so much!! I use this computer for home and work! SAVED MY BUTT!!!
Got two of ’em in the past week and a half. I see the FBI’s finally posted an official denial. What I don’t see is software designers so dedicated to artistically exploiting the schema-themes would deny us the value of a decent screen saver.
I had a feeling that this was complete bullshit. FBI cant fine you w/o court papers. Thanks for posting on how to kill it.
Now I Know What To Do =]
They make this giant virus, then I come here from first google link and remove it in 2 seconds lol.
Always remember the following. The FBI does not have the authority to fine people. This can only be done in a court of law. So the first thing you have to realize is that even even if you were looking at a video of a person having sex with an underage horse or dog or cat is that you are looking at a malware situation. Proceed accordingly most of the time you can save yourself $200 and fix the problem. Don’t forget to keep your AVG or whatever you happen to use up to date and active. Learn how to boot into safe mode. I know it’s all very frustrating but it is part of modern life. What really drives people crazy, myself included is that you really want revenge. You probably will not get it since a lot of this stuff is written in foreign countries. Do you really want to spend a couple of years draging your ass around some miserable shithole country looking for some programmer who probably would cut your throat if you actually found him/her? Your satisfaction comes from the fact that they didn’t get your $200 and you are smarter and better than they are. Good luck.
i think i got rid of it thanks alot to this website i really was about to pay the 200 tooo
JUST TO LET EVERYONE KNOW THERE IS A BAD VIRUS GOING AROUND CALLED THE FBI VIRUS IT TAKES OVER YOUR COMPUTER SAYING YOU HAVE TO PAY DUE TO COPYRIGHTED MATERIAL IF YOU GET THIS THE ONLY WAY TO GET RID IF IT IS MALWAREBYTES. HERE IS A PAGE ON THE INTERNET TELLING ABOUT IT..
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
I think I got rid of it…!!
Readers, what my laptop got hit with this morning is called the FBI Moneypack virus and its ransomware. Info on link. http://t.co/yongLbCl
Whew! Thanks for the help! Scared me half to death when that screen popped up, haha!
This page popped up on my screen about an hour ago and scared the hell out of me. I don’t even use my computer for anything other than schoolwork and I guess I visited an unsafe link of off some random media site. Needless to say, I was a little skeptical. This article walked me through flawlessly. Thanks a million…or two hundred at least, that’s what I saved thanks to you guys. Very appreciative of all of the guidance as I am not much of a computer wiz.
I’m running walwarebytes right now, I managed to restore windows to a couple of days ago through safe mode with networking…I nearly soiled my pants when this popped up! Hopefully it’s fully gone, don’t want my spouse to see this…
WOW! HUGE THANKS TO STEP 4!!!! Easy steps to follow, make sure to right click on the “ctfmon” file and click delete. I about shat myself when that fake FBI popped up…swooo
LMAO!!! That person(s) took all the time to write the virus for such an easy fix. Walked my sis thru the fix via cell, and discovered that the same virus was infecting my sons acct only on a cpu, here with three accts. Gonna fix that one myself. (glad I have my own laptop) Thanks for the info!! Nice and easy!!
This is how I did it and I didn’t have to download anything nor play with Windows settings (I have an XP PC though I think in 7 it will be the same outcome). I just turned off the PC, waited a few seconds, turned on PC and while I saw the PC booting up I kept pressing several times the F8 key. This took me to a screen that presented the different ways I can start Windows. I chose Safe Booting and pressed Enter. Then I just waited for Windows to boot up. The Windows desktop is going to look strange because Safe Boot will install just the basic drivers (and includes the video drivers). Then I went to Restore from All Programs/Accessories/System Tools. I selected a date prior to when I had the MonayPak virus incident and pressed OK. The Restore command restored it to the way I had my PC on that day and thus, basically, replaced all setting that virus might had change or altered.
Good luck
Thanks for the tips. I saved my kid’s bacon last night by downloading the free version of MalwareBytes onto a flash drive on a second (non infected) computer, then turning off my router and installing the anti-malware onto the infected unit. It saw it right away and zapped it. The kid had to do his homework after all. Thanks.
This virus is currently making it’s way around the internet. Please read the information below so you can take steps to protect yourself.
The FBI Moneypak Ransomware Virus – Please read for both home and work. Do not click on any pop up links that claim to be from the FBI.
FBI Moneypak (FBI virus, Citadel Reveton) is ransomware that locks computer systems, alleges the computer user has been involved in illegal activity by the FBI (downloaded or distributed copyrighted material or viewed child pornography, etc.), and demands a penalty fine of $100 or $200 be paid to unlock the computer system within the allotted time of 72 hours by use of Moneypak cards. Moneypak is the prepaid credit cards you can purchase at Walmart or Walgreens type stores (Moneypak card image). The FBI Moneypak ransomware virus also states on the fake FBI screen that you (the computer owner) may see jail time if a fine is not paid in time. This is only malware, these claims are not real, paying the fine will not fix this malware.
Here are links to websites with more information and steps you can take to avoid the virus or remove it if you’ve already been infected.
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
This virus is a super terd. http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
Thank you Sean for this excellent article. Very helpful.
I have another solution that can be added to this list!
1. turn off your computer
2. unplug your internet connection
3. turn the machine back on, the virus can only open if your machine is plugged into the internet!
4. using a flash drive, get malwarebytes from another computer and load it onto yours
5. run a full system scan, malwarebytes will find and eradicate every file, there were 10 files altogether!
6. restart when asked, and boom virus eradicated
I WASN’T DOING ANYTHING WRONG! Was just looking at some wiring diagram images on the web for my old mustangs when this “mess” started popping up and then the FBI screen.
Restoring my computer did the trick for me. Started up in Safe Mode and ran the restore file Rstrui.exe from the Start Menu. Selected an earlier restore point and all is good. Not sure what caused my other problem but the only side affect was that all my data files in the user, my documents folders, were gone. Finally realized that the files were present but they were all “hidden”. Had to go to View in the Folder Option and select the “show hidden files” button. Then was able to see the files and go to file properties and uncheck the attributes “hidden” box.
THANKS so much for this site. Keep up the good work!
that scared me so bad. Option 4 did the trick. thanks so much!!!
Omg omg omg! I almost had a heart attack. I was like wtf did I do to deserve this. When it popped up and I didn’t know what to do I though to myself ” my dad is going to kill me!” Then I desided to go on my iPod and see what I could do. And man, this site helped me a lot. So I thank you very much!
Question – If I have 2 accounts, one infected and one not, and I run MalwareBytes from the non-infected account, will it kill the virus on the infected one?
Thank you so much.
I managed to do all of this without any trouble!
Wow, looks like MalwareBytes detected it and removed it. Impressed.
How To Remove The FBI Moneypak Ransomware Virus – Fake FBI Malware Information And Removal Options http://t.co/gLTFbpAE
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
Bloody FBI virus on a Windows XP laptop. Icannot get into safemode command prompt as it demands the sys admin password and I have not worked at the company where I got computer for 3 years… in standard safemode the virus locks me out… The Task Manager button (@ alt-ctrl-del) is greyed out and does not work to allow me to stop the program. Basically I am completely locked out of my computer and cannot even get to the point where I can follow the directions above. Has anybody hit this wall and come up with a solution?
I unplugged the ethernet cable and the virus gets hung up with the “this window may take 30 seconds to load…” but it never relinquishes the screen back to me.
This is not my main system but I do have a number of files I do need to access that have not been backed up.
The system I am posting from is a workplace mac (virus on personal PC). Is there something I can download to a thumb drive and force the PC to boot from the thumbdrive – allowing me to follow the cleaning instructions
If anyone has a suggestion please forward… Thanks!
I was able to run antiviruses if i left the internet off from the start; every time I activated the wireless, it’d lock me out-so i left it off. Malware-bytes seemed to take care of it for me.
Thank you
I cleaned this my self. it wasn’t easy. follow the money. who stands to profit? how about all these expensive malware blockers like mcafee & norton who didn’t catch this but they want additional money to clean your pc….
thank you!!!!!
Got what appears to be a new variant – could not locate any of the files or settings in manual remove steps while looking from another account in Vista. It had disabled defender and task manager. Also could not find from safe mode except for a (random).exe that I renamed.
Ran a system restore from safe mode with command prompt and that appears to have fixed things. Looking deep and hard for any remnants. This is a nasty virus and I would like to learn what it’s entry point is. Based on logs, it appears to exploited either flash or the java updater.
THANK YOU!! for the guidance.
This infection exploits flash.
Would you mind sending me a screenshot of your new variant please? Sean@botcrawl.com
Saved me a great deal, thank you.
Oh Nagasi, you so crazy. Picking up FBI ransomware at the library, what am I going to do with you?
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
This is a good article, it was very helpful when I had to remove it from a family member’s computer. Not sure if the virus has gotten stronger or what, but whenever I booted into safe mode, none of the files for the virus showed up, not even in the registry. Even Malwarebytes didn’t pick up on. I ended up using No. 5 to get it off. Otherwise I’d have had to go with the system restore option, which would have been a pain to do.