The Mandiant USA Cyber Security Ransomware is a member of the Troj/Urausy ransomware family of screen locker computer infections. It’s an aggressive infection that so far has easily bypassed most reputable anti-virus utilities. We receive calls to remove this virus from infected computers very often. And from our hands-on observations out in the field, our clients appeared to have acquired the Mandiant USA Cyber Security Ransomware from legitimate websites that they were visiting that were either compromised or were simply displaying malicious advertisements from an advertising network. Many of the websites may continue to spread the ransomware infection unknowingly until someone either contacts the company that owns the website or the site administrator.
The Mandiant USA Cyber Security Ransomware claims to be part of a joint effort by the FBI, the Department of Justice, Interpol and also Mandiant USA Cyber Security to block computers that have been involved in illegal cyber activity. But it’s not affiliated with any such agencies or organizations. It’s just an illegal screen locker virus that’s attempting to con you out of your hard earned money with a few simple tricks. Once it has compromised your computer, it displays it's threatening message with a 48 hour countdown timer, while preventing you from accessing your applications, data files and also your system configuration settings.
To remove the Mandiant U.S.A. Cyber Security Ransomware from your computer, you'll need to download a few utilities on a clean computer and then transfer them to the infected computer via a burned cd/dvd or a flash drive. And you will also need to perform the removal of this ransomware from "Safe Mode with Command Prompt". Any attempts to remove the virus from standard “Safe Mode” or “Safe Mode with Networking” will be unsuccessful. Because once you log into your Windows account and the desktop is displayed, your computer will simply log you off and reboot.
To remove this ransomware you’ll need to download the software listed below on a clean computer and then transfer the files to the infected computer via a burned cd/dvd. You’ll also need an external usb flash drive. And just in case, since this is such an aggressive virus, you should also have your Windows installation disks close by to assist in replacing any damaged system files that the virus may have damaged. We usually haven’t needed the installation discs after removing this specific bootkit virus, but you should have access to them just in case.
The files you will need to download include:
- Hitman Pro with Kickstart
- Bitdefender Bootkit Removal Tool
- Emsisoft Emergency Kit
This is a very long and detailed user guide that involves several steps to remove this particular virus. And some of those steps are somewhat complex. If you don’t feel comfortable performing any of the steps listed in this guide, or you feel as if you’re in a little over your head, your best alternative may be to seek the assistance of a professional virus removal specialist.
Each of the software tools listed in this guide are excellent on their own, but since this is such an aggressive bootkit infection, you’ll need to use all of the software tools together, but at different stages to completely remove the Mandiant ransomware from your computer.
How to remove the Mandiant U.S.A. Cyber Security Ransomware step by step
- To start download all of the needed software on a clean computer and burn it all to a cd/dvd, except for “Hitman Pro”, because you will be configuring it on a usb flash drive.
- Next, execute the copy of “Hitman Pro” that you downloaded on the clean computer, but don’t plug the usb flash drive into the computer that you’re installing it on just yet. If you have plugged it in already, unplug it now.
- After the “Hitman Pro” application interface opens, click on the little icon at the bottom that looks like a little stickman figure getting kicked.
- Next plug in your usb flash drive. And keep in mind that the flash drive will be formatted by “Hitman Pro”, so you will lose any dated that is currently loaded on it.
- Your newly connected usb flash drive should now be displayed down at the bottom. If it’s not displayed though, unplug the external usb drive for about 10 seconds and then plug it back in.
- Next click on “Install Kickstart”.
- Click on “Yes” to agree with the drive format warning.
- After the drive has been formatted and Kickstart has been installed on it, unplug it from the clean computer and proceed to the infected computer. Now plug the usb flash drive with “Hitman Pro with Kickstart” into the computer that is infected with the Mandiant USA Cyber Security Ransomware.
- Turn the computer on and select the installed usb flash drive as the boot device. You will probably have to press a hotkey to access the computer’s boot menu first though. The proper hotkey may vary from manufacturer to manufacturer , but it will probably be either the “Function F12” or the “Esc” key.
- Once you have accessed the boot menu and selected the external usb flash drive, the “Kickstart” boot options screen should appear. At this screen select the first option.
- Next log into the affected user account and wait for the “Hitman Pro” interface to appear. And once the interface appears, click on “Next”.
- At the setup screen select the second option to perform a one-time scan of your computer and then click on “Next”.
- Once you make it to the scan screen, perform the default scan of your computer and either quarantine or remove the malicious files that the scanner locates on your computer.
- Next, before “Hitman Pro” will remove the detected files, it will need to be activated over the Internet from the “Product Activation” screen. Select the “Activate Free License” option.
- Once the application has been activated, it will remove the files that it detected on your computer.
- After the removal is completed, restart your computer into “Safe Mode with Command Prompt”.
- Log back into the compromised user account.
- Once the command prompt appears, navigate to the cd/dvd drive that you have the software burned to that you originally created on a clean computer. Depending on your computer configuration you will need to type either “D:” or possibly “E:” at the command prompt to access the cd/dvd drive.
- Next execute the copy of "rKill" by typing "rkill.exe" at the prompt. Once it starts, it will terminate any malicious processes that it detects are loaded in your computer's memory.
- After “rKill” completes, execute the copy of the “Bitdefender Bootkit Remover” by typing it executable at the command prompt. Perform a scan of your computer by clicking on “Start Scan”. If the removal tool detects a bootkit infection, remove it and reboot back into “Safe Mode with Networking” if needed.
- Next, start the copy of "Combofix" by typing "Combofix.exe" at the command prompt. If it prompts you that it has detected an active anti-virus on your system, you'll need to disable the currently installed anti-virus. You can do that by typing "explorer" at the prompt and then disabling your anti-virus once the desktop is displayed. Only start the “Explorer” if it’s absolutely necessary.
- If you needed to disable your anti-virus, open the task manager by clicking on "Clt, Alt & Delete" together. After the task manager is displayed, select the processes tab and click on "Explorer" and then "End Process" down at the bottom.
- Next, return to the command prompt and continue with "Combofix. You may have restart it if you closed it before. Combofix will perform a 50 to 60 stage scan and removal of any malicious files that it detects.
- Once Combofix has completed it’s scan and removal process, start the "Windows Explorer" by typing "explorer' at the prompt.
- Next, execute the decompression of the Emsisoft Emergency Kit" by clicking on it's executable. Make sure that you decompress it to an easily accessible directory on your computer.
- After Emsisoft has been decompressed, start it by double clicking on "start.exe" in it's directory.
- Next click on the “Emergency Kit Scanner”.
- Next perform a deep scan of your system and remove any remaining malicious files that Emsisoft detects.
- After Emsisoft has completed, restart your computer normally.
At this point your computer should be free of the Mandiant USA Cyber Security Ransomware. If there are still indications of the infection, you'll need to contact a professional computer virus removal specialist to handle your situation.
Smith Technical Resources makes no guarantees or claims that the information contained in this article will help you completely remove the above listed malicious program(s) from your computer. There are several variations of each particular virus in the wild . And the procedure listed above may not be adequate for the specific version of the virus that your computer has been compromised by.
If you feel uncomfortable performing any of the procedures that we've listed on this page, please contact a professional computer repair company in your area and have them complete the needed repairs on your computer. Smith Technical Resources takes no responsibility for any possible damage that could result from your use of the above instructions.