The “FBI virus” is one of the most well known ransomware scams ever distributed in the United States. It first appeared in 2012 as a full-screen lock screen that falsely claimed to be issued by the Federal Bureau of Investigation and demanded payment through MoneyPak vouchers. Botcrawl was among the first publications to document this threat and publicly identify it as the βFBI virusβ or βFBI MoneyPak virus.β As the campaign spread, it became one of the most widely searched ransomware infections in the country. While the original malware variants are no longer widespread, FBI-themed scams and lock screens continue to resurface in modern forms, including browser lockers, online extortion schemes, and mobile ransomware.
Although the original FBI MoneyPak ransomware relied on prepaid vouchers and basic screen-locking techniques, the core social engineering strategy behind it has remained largely unchanged. Modern versions of the FBI virus no longer need to fully lock a device to intimidate victims. Instead, they exploit fear through browser-based lock screens, fake law enforcement warnings, phishing emails, malicious advertisements, and scam websites designed to pressure users into paying fabricated fines, surrendering personal information, or installing additional malware. These newer schemes often appear more polished, use updated branding, and target both desktop and mobile users, allowing the threat to persist long after the original campaign faded.
This article traces the FBI virus from its earliest ransomware campaigns to the modern scams modeled after it. It explains how the original FBI MoneyPak malware operated, how its tactics evolved over time, and how to remove FBI-themed malware and lock screens using modern security tools. It also examines how early law enforcement impersonation schemes influenced todayβs ransomware and extortion tactics, along with practical steps to protect devices from current file-encrypting attacks and fake authority warnings.
What is the FBI Virus?
The FBI virus was a type of ransomware that locked a user out of their computer and displayed a fake warning claiming to be from the Federal Bureau of Investigation. The message accused victims of viewing illegal content or violating federal law and demanded a fee to unlock the device. Payments were commonly requested through prepaid voucher systems such as MoneyPak, Ukash, Paysafecard, or Reloadit.
The FBI virus was one of the earliest widespread ransomware families in the United States. Instead of encrypting files like modern ransomware, it restricted access to the entire desktop and prevented the user from accessing Windows until a fake fine was paid. The goal was simple intimidation. Many victims complied out of fear, especially when the message displayed their location, IP address, or webcam feed.
Although the original FBI virus has faded, scammers still use FBI branding to scare users through browser pop ups, online extortion messages, and fraudulent phone calls. These threats use modern tactics but rely on the same psychological pressure as the original ransomware.
How the FBI Virus Spread
The original FBI virus spread through many of the same infection techniques used by malware today. These included:
- Exploit kits that delivered ransomware when a victim visited an infected website
- Malicious email attachments disguised as invoices or notices
- Drive by downloads from compromised sites and ads
- Fake software updates that installed ransomware instead of legitimate updates
- Bundled installers combined with pirated software or fake media players
Exploit kits were particularly effective at the time because many users were still on outdated versions of Java, Flash Player, and Internet Explorer. A single visit to a compromised site could trigger an automatic ransomware installation.
Symptoms of the FBI Virus
Most victims of the FBI virus experienced obvious symptoms such as a full screen lockout. However, related scams can behave differently today. Common symptoms include:
- A full screen window displaying an FBI message
- Loss of access to the desktop
- Keyboard shortcuts disabled
- Webcam activates without permission
- New browser tabs forcing an FBI warning
- Pop ups claiming your device is under investigation
- Unexpected redirects to law enforcement themed pages
If you encounter any of these symptoms, your device may be compromised by a lock screen Trojan, browser hijacker, or scam website script.
Modern Variants and Related Threats
Although the original ransomware family is obsolete, modern threats continue to use FBI branding. These include:
- FBI browser lockers that freeze a browser tab with a fake FBI warning
- FBI phone scams where scammers call victims pretending to be agents
- FBI email scams that threaten legal action unless payment is made
- Mobile ransomware on Android that locks the screen with FBI logos
- Fake security alerts that redirect users to tech support scams
These threats do not function like the original ransomware, but they use the same pressure tactics and are often combined with phishing, payment fraud, and identity theft.
Remove the FBI Virus with Malwarebytes (Recommended)
The most effective way to remove an FBI virus infection is to scan your device with a trusted anti malware tool. We recommend using Malwarebytes because it specializes in removing ransomware, adware, browser hijackers, and potentially unwanted programs. Manual removal may not detect hidden files or startup entries, so using an automated scanner is the safest option.
Follow these steps to remove the FBI virus using Malwarebytes:
- Download Malwarebytes and save the installer to your Downloads folder. Double click it to begin installation.
- Follow the on screen instructions to install Malwarebytes on your Windows device.
- Select whether you are installing Malwarebytes for personal or business use and click Next.
- You may be offered Malwarebytes Browser Guard. You can add it or skip this step.
- Once installation is complete, open Malwarebytes and click Get Started.
- If using the free version, you will receive a trial of Malwarebytes Premium. After the trial ends, the program continues working as an on demand scanner.
- From the dashboard, click Scan. Malwarebytes will check memory, startup items, registry entries, and files for ransomware and related threats.
- Wait for the scan to complete. This may take several minutes.
- When the scan finishes, review the detected threats and click Quarantine to remove them. You may be prompted to restart your computer.
- After rebooting, Malwarebytes may run additional checks to confirm your system is clean.
Manual Removal for Windows
If you still have access to your desktop or are dealing with a browser based FBI scam, these manual steps can help you remove unwanted components. Manual removal should be followed by a Malwarebytes scan to ensure no hidden remnants remain.
Step 1. Uninstall suspicious programs
- Right click Start and select Installed apps or Apps and Features.
- Sort by install date to locate recent additions.
- Uninstall programs you do not recognize or installed around the time the lock screen appeared.
Step 2. Remove browser notifications from fake FBI sites
- Chrome: chrome://settings/content/notifications
- Edge: Settings > Cookies and site permissions > Notifications
- Firefox: Settings > Privacy and Security > Permissions
Step 3. Remove unwanted browser extensions
- Chrome: chrome://extensions
- Edge: Settings > Extensions
- Firefox: about:addons
Step 4. Restore your default search engine
Restore Google, DuckDuckGo, or your preferred provider.
Step 5. Reset browser settings if symptoms continue
- Chrome: chrome://settings/reset
- Edge: Settings > Reset settings
- Firefox: Help > More Troubleshooting Information > Refresh Firefox
Step 6. Clear cookies and site data
Remove cached FBI scam pages and redirects by clearing cookies and browsing data.
Step 7. Delete temporary files
Remove temporary files that may contain scripts or installers.
Advanced Checks for Persistent Issues
If you still see warnings or redirects, perform these advanced checks:
Check browser shortcuts
Right click your browser shortcut and ensure the Target field only contains the browser executable path.
Check Windows hosts file
Inspect C:\Windows\System32\drivers\etc\hosts for unwanted entries.
Check proxy and DNS settings
Ensure no unexpected proxies or DNS servers are configured.
Check Chrome policies
Visit chrome://policy to see if malware has enforced settings.
Review Task Scheduler
Look for tasks that launch unknown executables.
For more malware removal guides and cybersecurity alerts, visit our latest updates in the malware category.
Thank you for the instructions! I used the steps in the forum for creating accounts
sean you are really hot <3
Thank you so much!! It worked !
Thank you for the tutorial on how to get rid of the FBI ransom ware. My 17 year old son was trying to download an application on his laptop at what he thought was a Boy Scout affiliated website and got the ransom ware instead. I had heard of it at work but couldn’t remember how to get rid of it. Now I’d just like to figure out who developed it and bring them to justice by which I mean
put a bullet in their worthless head.Thanks again.Thank you for providing this valuable information. Restoring from safe mode helps
I figured out the System Restore in Safe Mode method myself, but it’s good to see a confirmation here that it did remove the threat entirely.
You guys are awesome! Allready had that malware once but this time it was waay harder to get away. Thanks for all those different methods
Good God, you should get an award or something for this free and thorough guide. I thought I had to buy another laptop, you completely saved me. Many thanks!
Thank you soooo much!!!!!
Opening with command promt and typing explorer is what saved me. Holy crap this was a nasty bug. It forced me to shut down in regular safe mode.
I finally managed to enter rstrui.exe at the command prompt and restored system. THANK YOU!!
Tried Malwarebytes free version which worked in about 15 minutes. I’ll gladly pay the $25 scan regularly.
instead of going to safe mode select System Restore. Restore it to a day+ before the problem started to occur. That worked for me.
I bet all you people that did download child porn just about crapped your pants
Finally I am able to fix it …
I was affected couple of days ago and it was so annoying, as I was not able to run any anti-virus, as it shows white screen and nothing can be done.
Luckily I have 2 user accounts (admin and Guest), From guest account I provided access to admin files ..like c:/users/admin_acct/appdata and local , roaming, temp all locations as provided as solution 2 above
Then I ran malwarebytes from guest acc, it deleted all malware in admin accoutn and I am done
It’s no point blaming the FBI for infecting their computer with such ransomware that disguise itself as FBI, whether it is FBI Anti-Piracy Warning or similar. The FBI has been aware for a long time, and yet it is still evolving. It’s one thing to keep the anti-malware and anti-virus solutions updated as well as operating system security updates to prevent infections.
How long should the system restore take after the safe mode command prompt boot up to remove this disgusting virus…
This is the second time we got it but this time it displayed child porn thumbnail pics!!! I was having a seizure trying to get away from it!!! I hope whoever is responsible for this slop finds forgiveness a higher power – they’re not getting it in this life! So sick and tired of this hacking crap – can’t get a real job!
I had this virus on Windows XP and this virus did not funtion unless it was connected to the inernet. I started my AVG anti virus to download updates and then connected to the internet. AVG picked it up right away and I was able to expell it.
Than you. I had hard time with this virus, until I found your post. After I could reach explorer was easy pie.
I’M STILL SOMEWHAT OF A COMPUTER DUMMY
I BOUGHT A NEW COMPUTER PLANNIN TO GIVE OLD ONE TO MY BROTHER
WHEN I GET THIS VIRUS PACK ON HIS COMPUTER
AFTER SCANNIN AND LOOKIN FOR VIRUS REMOVAL
AFTER 2 FAILURES
YOU’RE ADDRESS CAUGHT MY EYE
WAS ABLE TO REACH SYSTEMS RESTORE
COMPUTER SCREEN/TOOLBARS CAME BACK ON
EVERTHING LOOKS GOOD I’M GONNA DOWNLOAD
ANTIVIRUS NOW
THANK YOU VERY MUCH
SINCERLY STEVE
turn off your damn caps lock.
Excellent sugestion. It was very useful. Thanks a lot.
Thank you!! I was freaking out!
“Malware has blocked and quarantined a treat.” Beatiful!
THANK YOU THANK YOU THANK YOU!!! I was able to get in through safe with command and do a system restore. Should I still go back and do a check for manual removal?
Thank you! I just got this FBI virus and you’ve just saved me! THANK YOU SO MUCH
I solved mine in a way I haven’t read about.
In Windows 7 I wasn’t able to get into safe mode (endless boot loop), and was almost completely locked out in regular mode. I had the ransom page displayed in full screen. Ctrl+Alt+Del brought up the normal screen, but task manager would not work.
Out of frustration I started clicking the links on the ransom page just so I could see something different (how much worse could it get?) I believe the key was clicking on the email link at the bottom of the page (you’ll see why later). I hit Ctrl+Alt+Del -> Shut Down to make my next attempt at a new strategy. When I did, the shut down hung up asking if I wanted to force Outlook to close. Apparently hitting the email link had launched Outlook in the background. I IMMEDIATELY hit CANCEL when Windows asked if I would like to force Outlook to close before Windows had a chance to close it and continue the shut down. The shutdown stopped, but the virus processes had already ended in prep for shutdown. I had my computer back, but still had to remove the virus with MalwareBytes.
I hope this can help someone else.
thanks a lot!
YOU PERVERTS!! ALL OF YOU!! and me too….
I don’t know how to thank you. so far it worked with system restore. My malaware for some reason was off. thank you again
The system restore procedure worked. Thank you very much!!
I wonder how many people fell for this, and how much money the person made…
Omg THANK YOU
Did the restore thank you so much it’s great to have people like you for help your a lifesaver it worked great to get rid of it my uncle also thanks you since it was his computer I fixed with ur help
This site was a real lifesaver for us. We were able to remove the virus using the system restore suggestion. Will be getting some anti malware for sure. Thanks again…
excellent explainations…corrected problem. Thank you
I booted up with “enable VGA mode”. The FBI virus initially blocked everything. I left it running without doing anything for about 15 minutes; magically the FBI disappeared and I was able to use system restore. The screen layout was distorted but still workable. Hope this will work for you too.
Thanks for the guide..found this on my dad’s laptop, he really doesn’t know about computers (neither do I) but I’m on the internets a lot more and knew this was probably a virus with a quick fix. He was about to take it to the computer shop tomorrow and gave me $$ for removing it π
π
Thank you so much for the help!!! i was so scared!!
I must have a newer version of the malware as the version i had disabled the ability to restart in safe mode. if you tried, you get the blue screen. So here is what worked for me…
Once i disabled my internet I was able to get on to my pc pretty easily. you have a few options here depending on how you connect. If you have a desk top, just unplug the network cable. Some laptop’s have a switch on the outside that you can just turn the network off, but others you might have to disconnect your router or modem.
now that you no longer have an internet connection, turn on your computer and all should seem normal.it seems to be tricked some way by not having an internet connection( of i should say this was my experience).
i went into control panel and created a new user with admin privileges. i then restarted the computer and logged in on the new account i just created. all seems to be fine. I restored the internet connection and then went to malwarebytes.org and downloaded the free version(when you install uncheck the trial of the pro version). after you install, run the update so you have the latest definition files and run a Full scan on your computer. after the scan is done, let it repair the files it has identified.
i then turned the internet connection off again and restarted the computer. When it came back up, i logged on under the original account and ran Malware bytes that was installed from the other account( it will appear on both). it found a few more trojan’s which I removed after the scan was complete. Your computer will restart after it removes the trojan’s. Everthing seems normal now, so i deleted the second account that was created above.. good luck with this nasty malware..
Tom, great comments, worked perfectly for me. Thank you very much. Best regards.
Seems to have worked so far! Your info was the only thing that has let me do anything so far!
I was able to download Malwarebytes, but now every second a notice pops up that says the program has blocked & quarantined a threat svchost.exe Trojan.Agent – does this ever stop or will the Virus continue to try and attach my computer?
There is a way to stop that, contact Malwarebytes Support for that
Thx for guide I seriously almost cried when this fbi thing popped up
The only way I could get rid of the virus was to start-up in safe mode with command prompt and run malwarebytes from the command line.
I got the virus today (Dec. 27). Perhaps it is a new/nastier version. In safe mode and safe mode w/networking, I get a blank white screen within a few seconds of windows booting up. I already have malwarebytes on my computer and can try to activate it, and believe it starts, but almost immediately the white screen comes up and I can’t do or see anything. Note that it is just a blank white screen, without the FBI scam verbage. When I power down, just before the machine turns off, the white screen disappears, and I can see my desktop.
I can get the task manager option screen with
, but no matter what option I take, it just puts me back to the blank white screen.I tried the system restore option via the command prompt. It did not work as expected, but eventually (somehow) I got the user interface to open and I selected a restore point from a few days ago. After a considerable amount of time running, the system restore failed due to lack of memory space (not sure if that is legit or nonsense from the virus).
Any help is appreciated.
Thank You so much downloaded software already and read about the restore option so i will try it tomorrow.
A new computer virus which claims you have violated copyright laws is making the rounds. This type of virus is known as ransomware because it locks your computer and demands a payment to unlock it. What should you do if you become a victim of this virus? First, donβt pay the βfine.β Second, you can take your computer to a repair service or if you feel more technically incline you can attempt to remove the virus yourself. http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
I did a system restore and it worked perfectly! I was in a panic for an hour before I tried this.
if u do pay the Β£100 what do u do then?
Malware may still be running in the background. You can contact Green Dot (Moneypak), or whomever you used to pay the fine… I have heard some of them have offered refunds (don’t quote me though).
Suggestions:
β Run a full-system scan with reputable Antivirus (or AM) software.
β Perform a System Restore to a date and time before infection.
Hope this helps!
I deleted the account that had the virud and ran a scan and the virus didnt show up, am i safe?
the virus only affects one account when i deleted the account i also deleted the files on the acoount
I can’t technically say yes, but you should be fine.
Make sure you run a full-system scan with reputable Antivirus (or AM) software that has experience removing this particular infection.
It took me about 5 minutes to “remove” this, just got it 10 mins ago, system restore to a restore point I had made and bam. Now to see if my Empire total war saves got saved as well…
Thank you very much