The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the “FBI virus” or “FBI MoneyPak virus.” As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.
Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.
This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced today’s ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.
What is the FBI Virus?
The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.
The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.
Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.
How the FBI Virus Spread
The original FBI virus spread through many of the same infection techniques used by malware today. These included:
- Exploit kits that delivered ransomware when a victim visited an infected website
- Malicious email attachments disguised as invoices or notices
- Drive by downloads from compromised sites and ads
- Fake software updates that installed ransomware instead of legitimate updates
- Bundled installers combined with pirated software or fake media players
Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.
Symptoms of the FBI Virus
Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:
- A full screen window displaying an FBI message
- Loss of access to the desktop
- Keyboard shortcuts disabled
- Webcam activates without permission
- New browser tabs forcing an FBI warning
- Pop ups claiming your device is under investigation
- Unexpected redirects to law enforcement themed pages
If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.
Modern Variants and Related Threats
Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:
- FBI browser lockers that freeze a browser tab with a fake FBI warning
- FBI phone scams where scammers call victims pretending to be agents
- FBI email scams that threaten legal action unless payment is made
- Mobile ransomware on Android that locks the screen with FBI logos
- Fake security alerts that redirect users to tech support scams
These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.
Remove the FBI Virus with Malwarebytes (Recommended)
The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.
Follow these steps to remove the FBI virus using Malwarebytes:
- Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.
- Follow the on screen instructions to install Malwarebytes on your Windows device.
- Select whether you are installing Malwarebytes for personal or business use and click Next.
- You may be offered Malwarebytes Browser Guard. You can add it or skip this step.
- Once installation is complete, open Malwarebytes and click Get Started.
- If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.
- From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.
- Wait for the scan to complete. This may take several minutes.
- When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.
- After rebooting, Malwarebytes may run additional checks to confirm your system is clean.
Manual Removal for Windows
If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.
Step 1. Uninstall suspicious programs
- Right click Start and select Installed apps or Apps and Features.
- Sort by install date to locate recent additions.
- Uninstall programs you do not recognize or installed around the time the lock screen appeared.
Step 2. Remove browser notifications from fake FBI sites
- Chrome: chrome://settings/content/notifications
- Edge: Settings > Cookies and site permissions > Notifications
- Firefox: Settings > Privacy and Security > Permissions
Step 3. Remove unwanted browser extensions
- Chrome: chrome://extensions
- Edge: Settings > Extensions
- Firefox: about:addons
Step 4. Restore your default search engine
Restore Google, DuckDuckGo, or your preferred provider.
Step 5. Reset browser settings if symptoms continue
- Chrome: chrome://settings/reset
- Edge: Settings > Reset settings
- Firefox: Help > More Troubleshooting Information > Refresh Firefox
Step 6. Clear cookies and site data
Remove cached FBI scam pages and redirects by clearing cookies and browsing data.
Step 7. Delete temporary files
Remove temporary files that may contain scripts or installers.
Advanced Checks for Persistent Issues
If you still see warnings or redirects, perform these advanced checks:
Check browser shortcuts
Right click your browser shortcut and ensure the Target field only contains the browser executable path.
Check Windows hosts file
Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.
Check proxy and DNS settings
Ensure no unexpected proxies or DNS servers are configured.
Check Chrome policies
Visit chrome://policy to see if malware has enforced settings.
Review Task Scheduler
Look for tasks that launch unknown executables.
For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.
I was infected with yet another variant of this ransomware yesterday. Let me just say the first time I had it, I was able to remove with a system restore while in safe mode w/ networking. The next time, i had to do it w/ safe mode via command prompt. Yesterday however the command prompt didn’t even work as the ransomware kicked in before i started typing anything. (doesn’t matter if I typed in ‘explorer’ before the 2-3 seconds. I was able to to safe mode w/ networking but this time I logged in as Administrator and did a system restore. My point is every time I get this virus it is removing options to recover.
I was fortunate enough to have another user on my computer and downloaded the MALWAREBYTE program and it seems to have worked . since im leaving a comment from my user ya think its alright . Im not really good with computers. any input would be appreciated.
Run a full system scan using Malwarebytes, you can also try free Antivirus scanners suggested on this page.
Also, search for any files listed on this page related to the infection.
If nothing is detected or located, that’s a good sign.
If you are using Malwarebyte’s software and would like to know more about the infection from their standpoint, feel free to contact their support team. They are always happy to assist.
I seriously almost had a panic attack when the screen popped up. i was dead scared and didnt know what to do but as soon as i saw everyones comments here i felt so much better. It took me the longest time to find where to reset the computer to a previous time but as soon as i found it the whole thing took less than a minute. So happy for this. Really quick and easy
Thanks for this excellent article, it’s the best I have seen. My surfing account was infected on Dec. 11 but my admin account was not affected (never surf with admin rights!) and I was able to delete the infected account and then recreate it (using the option to keep the account’s files); this broke the virus There ws no cftmon in my case, but a random-named exe and some flash updates, all loaded into AppData\Local\Temp at the time 2:37 PM of the intrusion.
The virus attacks immediately, which makes it vulnerable as the rogue exe can be found by searching for *.exe and then deleting it using the admin account.
What alarms me is this. The exe inherits the privilege of the infected account. How was it able to disable McAfee? How was it able to prevent rebooting in safe mode in my case? And how was it able to prevent Restore, run from the admin account, from initializing? This suggests a (to me) unknown vulnerability in 64-bit Win-7. Fortunately, no virus so far seems to be capable of privilege escalation, but this trojan was doing more than should have been possible..
Thank you guys for the info! Very scary virus… Your tip’s worked like a charm.
1. FIRST OF ALL, let me reiterate, even though others have said it on this thread before, that the perpetrators of this virus are SCAMMERS who do NOT represent the FBI or any other government agency!!!! You should NEVER try to get rid of this virus by paying any amount of money through Moneypak as instructed by the scammers in the “FBI” popup window.
Which brings me to…
How To Remove The FBI Virus In Ten Minutes — Five Easy Steps (This works with any variant or version of the FBI Virus or FBI Moneypak Virus) —
Step One (1) — UNPLUG YOUR NETWORK CABLE FROM YOUR PC (or temporarily disable your wireless connection) after powering down your PC. THIS IS THE KEY STEP, since the FBI popup window the virus uses to lock up your PC cannot activate without an online connection.
Step Two (2) — Power up your PC with the network still disabled, and boot to Windows as usual. Ignore any warnings about loss of internet/network connection.
Step Three (3) — Go to the “System Restore” utility that comes with every Windows PC (In my Win XP system, it was under “Start”, then “Programs”, then “Accessories”, then “System Tools”, then “System Restore”).
Step Four (4) — In the “System Restore” utility, select “Restore My Computer To An Earlier Time”, then click “Next”. On the next screen, select the “System Checkpoint” for the day before the virus showed up on your PC. If you are not sure when the virus first showed up, select a date that is several days before you first noticed the virus. (NOTE: The PC automatically creates at least one “System Checkpoint” per calendar day.) Click Next, then click next again to confirm your selected “Restore Point”. This will delete anything that was added or altered on your PC after the selected “Restore Point”, INCLUDING ANY TRACE OF THE VIRUS!!
Step Five (5) — As the System Restore utility reboots your PC, plug your network cable back into your PC (or restore your wireless connection). Your PC should then reboot and begin functioning as usual.
I Love you so much
Thank you so much…I love you for this info.
You are a lifesaver! My husband got this virus right around the time you posted your fix. Thank you so much for your expertise!!!
Thank you so much for the step by step directions. We need more people like you. Your our hero!
Downloaded malwarebytes just got virus. My computer works, But I keep getting a popup in the bottom right hand corner saying malewarebytes blocked acces to a potentially harmful webpage blah blah blah….svchost.exe. Happens every minute or so. How do i get rid of this trojan svchost.exe. I have ran a full scan. Please let me know if anyone else has had this problem and how to get rid of it.
Got this virus Wednesday morning. Wife called me at work and told me our son caught on her PC. When I came home that evening I read it and knew right away it was a hoax. It even had a the “FBI song” running through our speakers. I tried to reboot into safe mode without any success. I wish I would have seen this site before. But my solution was I was fortunate to have another spare hard drive available. So I unplugged the infected drive and install a complete OS on that drive.
Once I got everything up and running I made sure I had AVG installed and Zonealarm. before I hooked up the infected drive to copy my data files. I made sure I scanned everything before I moved it over. Afterwords I just nuked the drive with a hard drive eraser.
What concerns me was that i was running AVG 2013 (free) and Malwarebytes.
Personally if I could find the POS that created this virus I would cut off his fingers with a pair of tin snips. (dull ones at that one at a time)
What I personally did to stop the FBI moneypak:
Start computer, hit F8 in the beginning
selected safe mode with command prompt
waited, then signed into my account
*then immediately entered “explorer” without quotes and hit Enter (do this within 3 seconds)
then clicked start at the bottom left, then clicked the folders: windows, then system32, restore
then click the rstrui file
Choose a system restore point to a time that was before FBI moneypak
If this worked for me it will probably work for you. Thank you for the guide.
hey jordan it worked and i am so glad!!! thank you thank you thank you!!!
New: How to Remove FBI Ransomware!
http://blog.malwarebytes.org/intelligence/2012/12/ransomware/
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
‘FBI’ vesion on my computer does not allow me to get past ‘safemode’
and typing ‘rstrui.exe’ comes up as invalid entry.
How can I get over this?
OMG so I was yes looking at fem joy.LOL I am an artist and to me its just beautiful bodys, some naked yes but my laptop went into a frenzy….started popping up porn, and bad porn that made me want to throw up.Then the FBI thing popped up, I flipped out as a mom of 6 on PTA and a gma thought Id have the FBI at my door loose my kids and go to jail. I could not get my lap top to shut down. I unplugged it, Rebotted it, in tears ….ready for this I called the local police. He said it was a virus. I told him scared the you know what out of me. I rebotted and went into safe mode. I am ok and safely on my lap top BUT NOT FUNNY!!! And I am imbarassed as all get out. Terrible virus and to think ppl probally pay this. Sad. Thank God I didnt have to pay a ton of money to a PC man, no offense to those who make a living off this I just dont have the extra money. SO thats my awful story. Yes I really thought the worst and thought I was going to jail for looking at fem joy LOL.I feel stupid…
and I think Fen Joy IS legal if 18, god I hope so.
THank you SOOOO Much!! You saved my day!! 🙂
Great Article. We have to remove the FBI moneypak virus all the time. this article definitely got us going in the right direction. Thanks Sean!!!
I’m doing this now, hope it works!!! Windows 7
Thank you so much! This worked great. Once restored, ran a virus scan and it showed the malware and cleaned.it.
Greg
Followed your process and it worked great. Thanks for everything.
Maybe I was lucky, but l had what looked like the worst of the FBI Virus. Fortunately, l was able to start in Safe Mode, run CCleaner and use the Tools function to look at the Start items. There was one entitled Microsoft Update with a Russian source. I disabled it and rebooted. Windows 7 came up just fine and it looks liike my programs work normally.
Great information here. I actually reformatted my computer and am now having to update everything. I did try to start up in safe mode but was still unable to do anything.
Thank you so much. I had a really difficult one and i would have had to pay someone to fix it for me. your doing the lords work
Update: Once in, I ran MalwareBytes again and found an infection. So cleaned that out and still working fine. Please let me know if this worked as well for you. Thanks.
Sean you are my BFF for life!!! Thank you for posting this information, it worked!! You are the best!
Thank you so much ! My son was using my computer when the virus popped up. He texted me begging me not to be mad, he so scared. Lol. I yelled and told him to stay of my CPU, but I had no idea what it said, so I finally read it tonight and flipped a lid, I was so mad at him and was actually going to pay. Then I just prayed about it, after I decided to look up moneypak to see if I can purchase one online, and thank God this website popped up. You have saved my son and me,,mainly you have saved him, lol. Thank you again. I’m sure he would thank you also.
what if you cant start in any safe mode it shows up in safe mode also is there any solution?
And also, what will happen if it is not removed from my computer? i havent see it pop back up yet. Does that mean im good from it? Please reply.
How do you know if the virus is gone? I restarted my laptop and let it go through its usual start up. I dont see and hear the fbi warning anymore. Its been about an hour since it first came up. Is it gone or is it somewhere and i have to remove it still? Please help.
Thank you, Sean. I wouldn’t have been able to resolve this if it wasn’t for you.
Seriously…thank you. Thanks for using your brain to do good for others than to use it to cause havoc and destruction. The virus popped up when my son was using the computer and he was terrified to tell me. You saved us both! Lol. Thanks for sharing your expertise and knowledge. Happy Thanksgiving to you and yours!
OMG i tried soooo many things. I can’t open safe mode so now i am about to cry. I GOT MY MOM’S COMPUTER BACK. If you can’t access safe mode then TURN OFF ETHERNET. My computer has a little switch at the bottom that turns off internet access so that it won’t connect to the internet. THATS HOW THE VIRUS SHUTS YOUR COMPUTER DOWN. Then i did step 3. Now i do daily scans for that virus to make sure it doesn’t come back. ASK ME IF YOU NEED HELP!!
Thank God ! My mom would have killed me if she seen this on her new labtop!
Thanks Again!
Thank you so much, I hope see you soon.
THANK YOU SO MUCH! The system restore from safe mode worked fine. You are really awesome for doing this…very thoughtful to put these repair instructions up…not for money…just to be a good person. Thanks again
This totally works!!! I tried many youtube videos and have been trying for daysssssssssssss! I did followed these simple steps and it removed the virus. I had 10 in my computer that I removed. If you have a flash drive, it was the best option. It took 5 minutes.
I’m very, very pleased!
WOW!! I am Amazed. Thank you for guiding me in the right direction. For I am not a computer savy person at all. Quick and easy. Very helpful, thanks again. You literall saved my life!
This is the second time I got this virus. First time I started in safe mode command propmt and restrored. This time it will not open in safe mode it reboots everytime I choose the safe mode option…any ideas??
Greetings my Brothers & Sisters. I just want to warn everyone that there is a new Virus going around in our local area. It is called the FBI MoneyPak Virus. My partner got hit with it yesterday afternoon and it scared the crap out of her. I happen to be a computer technician and was able to track down info on it and on how to remove it within a short time frame. I am offering the following website to you all to assist you if the time comes and you need it. This site shows proper AntiVirus software and steps to remove the virus. Goddess knows I hope no one needs it.
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
Thanks a ton! When this got onto my computer, I was flipping out. The moment I got this I told my mom that we had to pay a fine. But being the calm person she is, she got us to this website and we fixed it. So thanks again. Where do I report the “Microsoft Employees”? Or who do I report them to?
You can report them to the FBI if you wish. https://tips.fbi.gov/
thanx a million !!!!!!!!!!!!!!!!!
Good Afternoon –
Quite recently, I was asked to remove the FBI Moneypak Virus from a couple computer systems.
I have researched this matter, and with the assistance of information obtained through Microsoft; F-Secure; and Botcrawl.com, I have consolidated resource information for future reference.
==========
The FBI Moneypak virus (FBI virus, Citadel Reveton) is ransomware disguised as the FBI that uses Trojans (Trojan.Ransomlock.R) to lock computer systems.
• The FBI virus alleges the computer has been involved in illegal activity by the FBI and demands a penalty fine of $100 or $200 to be paid in order to unlock the computer system within the allotted time of 72 hours by use of Moneypak cards (and others).
• Green Dot Moneypak cards are the prepaid credit cards you can purchase at Walmart or Walgreens type stores (Moneypak card).
• The FBI Moneypak ransomware virus also states on the fake FBI screen that you (the computer owner) may see jail time if a fine is not paid in time.
==========
Trojan:W32/Reveton is a variant in a family of “ransomware” applications that have been targeting internet users recently. When the trojan has infected a machine, it prevents the user from accessing the Desktop and displays a fraudulent message alleging that the system was locked by a local law enforcement authority. The police authority claimed by the malware varies depending on the affected user’s location.
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Reveton.F&ThreatID=-2147308822#symptoms_link
Ransomware is so named because while preventing the user from accessing their infected machine, it demands that a “fine” must be paid to restore normal access. More information on this specific trojan can be found at:
http://www.f-secure.com/v-descs/trojan_w32_reveton.shtml
Please take note that this is malware and the claims made by this virus on the fake FBI page are not real, you are not in trouble with the FBI. Paying the fine using Ukash vouchers and Moneypak cards will not fix this malware. Using an activation number to remove the FBI virus will lead to further intrusions.
http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
==========
I thought this information would be useful should any of you observe this virus on your computer system. I am available should there be any questions and/or supplemental concerns pertaining to this matter.
Thanks Sean you saved my life.