What is ##_POLICJA__TEN_PLIK_ZOSTA ransomware? And how does it execute its attack?
##_POLICJA__TEN_PLIK_ZOSTA ransomware is a data-encrypting malware which also happens to be a new Jigsaw ransomware variant. This new Jigsaw variant has a lot of similarities with the other previous variants except for the ransom note and extension it uses. It seems to target users from Poland based on its ransom note.
Once it executes its attack, it drops its malicious payload in the system which establishes a connection to a remote server controlled by the attackers. It also downloads its malicious components in this remote server. The malicious components are then used to prevent the crypto-virus from getting detected by any program that might hinder its attack. It then modifies an existing entry and creates new ones in the Windows Registry in order to achieve persistence. After that, it uses the same encryption algorithm in locking its targeted data. Once the files are inaccessible, it appends the “. ##_POLICJA__TEN_PLIK_ZOSTA” extension which signifies the files are locked. It then displays its ransom note written in Polish, stating:
“UWAGA, UWAGA!!! Tu komenda wojewódzka policji, wydział ds. cyberbezpieczeństwa
WSZYSTKIE PLIKI OSOBISTE Z TEGO KMPUTERA ZOSTAŁY ZABLOKOWANE I ZABEZPIECZONE
w CELU szRvFIKowANIA LEGALNOŚCI POSIADANYCH PRZEZ PAńsmA PLIKÓW!
Nasze systemy monitorujące bezpieczeństwo w sieci wykryły po raz kolejny
masowe rozprzestrzenianie złośliwego oprogramowania, badź treści
pornograficznych z udziałem osób nieletnich!!!
w Polskim prawie są to bardzo ciężkie przestępstwa, za które grozi
kara pozbawienia wolności nawet do lat 12-stu!!!
Zdajemy sobie sprawę z tego, że pliki osobiste mogą być potrzebne Państwu,
w każdym momencie, dlatego dajemy Nam 100-procentową gwarancję odblokowania ich, ale
wyłącznie po opłaceniu grzywny w BTC (BITCOIN) na rzecz Fundacji **Polsat**!!!
w przypadku nie dokonania płatności w ciągu 3 dni wszystkie zablokowane pliki
zostaną definitywnie usunięte z dysku!!!!!!
Nie wyłączaj komputera przed dokonaniem płatności, gdyż wtedy automatycznie
usunę permanentnie 1000 plików!!!
Czas podjąć decyzję…”
Here’s a rough English translation of the ransom note:
Here is the provincial police department, the cybersecurity division.
ALL PERSONAL FILES FROM THIS COMPUTER WERE BLOCKED AND PROTECTED
FOR THE PURPOSE OF LEGALITY HAS BEEN RECEIVED BY THE FILE PEN!
Our network security monitoring systems have detected once again
the mass proliferation of malicious software, research content
pornographic with the participation of minors !!!
in Polish law, they are very serious crimes, for which they are threatened
imprisonment up to 12 years !!!
We are aware of the fact that personal files may be needed by you,
at any time, that’s why we give us a 100% guarantee of unlocking them, but
only after paying the fine in BTC (BITCOIN) for the Foundation ** Polsat ** !!!
if you do not make the payment within 3 days, all blocked files
will definitely be removed from the disk !!!!!!
Do not turn off your computer before making a payment, because then automatically
I will permanently delete 1000 files !!!
It’s time to make a decision …”
How does ##_POLICJA__TEN_PLIK_ZOSTA ransomware proliferate?
##_POLICJA__TEN_PLIK_ZOSTA ransomware proliferates using the same method other Jigsaw variant uses – spam emails. The malware-laden email will try to convince you that the attached file is of importance and that it’s urgent so you have to open it. If you see such email, you must get rid of it right away as it contains the malicious payload of ##_POLICJA__TEN_PLIK_ZOSTA ransomware.
Eliminating ##_POLICJA__TEN_PLIK_ZOSTA ransomware wouldn’t be an easy task so you need to use the following removal guide as a reference for successful removal.
Step 1: Tap Ctrl + Shift + Esc keys to launch the Task Manager.
Step 2: Go to Processes and look for the malicious processes of ##_POLICJA__TEN_PLIK_ZOSTA ransomware. Note that these processes usually take up most of the CPU power so once see an unusual process, right click on it and select End Process or End Task.
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for dubious programs that might by related to ##_POLICJA__TEN_PLIK_ZOSTA ransomware and then Uninstall it/them.
Step 5: Tap Win + E to launch File Explorer.
Step 6: After opening File Explorer, navigate to the following directories below and look for the malicious components of ##_POLICJA__TEN_PLIK_ZOSTA ransomware and then remove them all.
Step 7: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the listed paths below and look for the registry keys and sub-keys created by ##_POLICJA__TEN_PLIK_ZOSTA ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 10: Delete the registry keys and sub-keys created by ##_POLICJA__TEN_PLIK_ZOSTA ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if ##_POLICJA__TEN_PLIK_ZOSTA ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Once you’re done executing the steps given above, you need to continue the removal process of ##_POLICJA__TEN_PLIK_ZOSTA ransomware using a reliable program like [product-name]. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screenwill be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now”button.