Also detected as:
You can't access your PC, and instead see an image similar to the following:
detects and removes this threat.
This threat locks your PC and displays a full-screen message, commonly called a "lock screen".
It pretends to be from the FBI or a national police force and tries to scare you into paying a fine to unlock your PC.
See the Technical information tab for examples of the lock screen.
Typically, this threat gets on your PC when you visit a hacked webpage.
You can read more about this type on malware at the Ransom:Win32/Urausy family description or on our ransomware page.
Find out ways that malware can get on your PC.
Microsoft doesn’t recommend youpay the fine. There is no guarantee that paying the ransom will give you access to your files.
If you've already paid, see our ransomware page for help on what to do now.
Use the following free Microsoft software to detect and remove this threat:
You should also run a full scan. A full scan might find other, hidden malware.
To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
The trojan copies itself as cache.datto the %APPDATA% folder.
It also changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\WindowsNT\CurrentVersion\WinlogonSets value: "Shell"With data: "explorer.exe,%APPDATA%\cache.dat"
Prevents you from using your PC
This threat displays a full-screen image that prevents you from accessing your PC. The image it shows depends on your PC's language locale.
Some of the images used by Urausy are in the Ransom:Win32/Urausy family description.
It downloads the image or webpage from a remote server.
The screen might appear similar to the following, which pretends to be a message from the Federal Bureau of Investigation (the FBI), Department of Defense, and USA Cyber Crime Center:
In the wild, we have observed this threat sending information about your PC to, and downloading the lock screen messages from, the URL fxvzi.ru.
We have observed the threat using the legitimate payment and financial transfer service "Green Dot MoneyPak".
This provider is not affiliated with the people who have infected your PC with this trojan.
If you believe you are a victim of fraud involving Green Dot MoneyPak you should contact them as well as your local police or authorities.
The following Microsoft article has more advice:
Analysis by Zhitao Zhou
Take these steps to help prevent infection on your PC.
I want to...
Note: Your feedback is important to us, however we do not respond to individual concerns through this channel.
If you require support, please visit the
Microsoft Answer Desk.
If you suspect that a file has been incorrectly identified as malware, you can submit the file for analysis.