ICSPA virus (Free Guide) - updated Feb 2020

ICSPA virus Removal Guide

What is ICSPA virus?

ICSPA virus is the threat that uses false law enforcement agency messages to scare people into paying the demanded amount

ICSPA virusICSPA virus is the threat that locks the screen of the victim and demands for the payment. The scam is successful because people get scared of fake claims about illegal activities. ICSPA virus – the threat based on extortion that falls into the category of ransomware because of that. This virus is almost identical to CashU or Ukash malware because it demands victims to pay the fine for false, illegal activities. It can be spotted in many countries all over the world, so the particular institution that extorts money differs from version to version. The main fact that the message asking you to pay fine via GreeDot, Moneypak, Ukash, or other platforms appears on the computer when the screen gets locked. Often this lock-screen malware is triggered by the trojan infection or another virus like Reveton. These facts make the threat even more dangerous and persistent since many activities are revolving on the trojan and its malicious behavior.

ICSPA ransomware virus also gets distributed via other methods like malicious websites or hacked domains, exploit kits, and malicious files that include the payload of this virus. Spam emails often are the ones that deliver infected files to victims and lead to infections like this. Once such a script is installed on the system, the malware displays a bogus notification and states that the computer is blocked due to the content you visited or other illegal activities that you allegedly are guilty of. The screen becomes locked, and it is not the easiest thing to exit the window and get back to a normal working machine, so you need to react as soon as possible and somehow terminate this program.

Name ICSPA virus
Type Screen-locker, ransomware[1]
Symptoms The screen gets locked and delivers a questionable notification from a law enforcement agency or other institution that claims that you have done something illegal. Therefore, you need to pay a particular fine. This message encourages people to pay using online payment platforms, or your device gets permanently blocked
Danger The extortion-based threat asks for money transfers, so people can lose huge amounts of money if they decide to pay up. Machines can get the damaged during the time when the screen is fully locked by the processes happening in the background
Tactics Scaring people into paying up to hundreds or even thousands of dollars with all the false claims of illegal actions
Known since 2014 or even earlier
Distribution Throughout the years of existence, this virus was distributed with the help of trojans, other malware, malicious sites, hacked domains, and infected files attached to emails
Elimination ICSPA virus removal process should be quick and successful if you use proper anti-malware tools and terminate the malware automatically
Repair When the screen is locked by the virus other processes can be launched, including damaging activities, so get FortectIntego or a similar tool that should find and fix virus damage for you

ICSPA virus will lock your screen and the computer itself, so it blocks any access to the operating system, applications, and features. You need to log in on the machine to do anything, so Safe Mode is the way to go. By rebooting the OS in Safe Mode, you ensure that the computer is not controlled by the malware.

However, it may not be possible and instead of normal Windows boot you receive the same lock screen with the following or a similar ICSPA virus ransom-demanding message:

ICSPA International Cyber Security Protection Alliance

U.S. Department of Justice – Office of Justice Programs

ATTENTION! YOUR COMPUTER HAS BEEN LOCKED BY ICSPA. All activities of this computer have been recorded. The recent actions performed on this computer have been recorded and analysed. Due to evidence of illegal activity found on this computer (“Downloading and distribution of illegal content – illegal Pornography”), this computer has been locked. Read the Important Information below.

The penalty set (“$400 – US dollars”) must be paid within 48 hours of this notice. On expiration of the term, 48 hours that follow will be used for automatic collection of data on yourself and your misconduct, and criminal case will be opened against you.

You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophilia/rape etc.) You have violated World Declaration of non-proliferation of child pornography. You are accused of committing the crime envisaged by Article 161 of United States of America criminal law.

Article 161 of United States of America criminal law provides for the punishment of deprivation of liberty for terms from 5 to 11 years.

Also, your are suspected for violation of “Copyright and Related rights Law” (downloading of pirated music, video, warez) and of use and/or dissemination of copyrighted content. Thus, you are suspected of violation of Article 148 of United States of America criminal law.

Article 148 of United States of America criminal law provides for the punishment of deprivation of liberty for terms from 3 to 7 years or 150 to 550 basic amounts fine.

The illegal actions that have been recorded on this computer (“Downloading and distribution of illegal content – Illegal Pornography”) could have been actioned by yourself purposely, or without your knowledge and consent, provided your computer could have been affected by malware. Consequently , you are suspected – until the investigation is held – of innocent infringement of Article 215 of United States of America criminal law (“Law on negligent and reckless disregard of computers and computer aids”).

Please note, that personal identities of users who are suspected of committing the illegal actions on this computer have been identified and the evidential data has been recorded. The criminal case can be opened in course of 96 hours as of commission of crimes per above Articles. Criminal case can be submitted to court.

However, pursuant to Amendments to the United States of America criminal law dated January 14, 2015, and according to Declaration of Human Rights, you disregard of law may be interpreted as unintended (if you had no incidents before) and no arraignment will follow. However, it is a matter of whether you have paid the fine to the Treasury (to the effect of initiatives aimed at protection of cyberspace).

Current status: “Case can be classified as occasional/unmotivated, according to 17 (U.S Code) 512. Subject to a fine ($400 – US dollars).” – this case can be closed without prosecution. The computer will be unlocked automatically.

The message can be written in an appropriate language and target victims in a specific area, so it seems more legitimate and scary. However, you are not charged for any of those claims like visiting pornographic content sites or downloading pirated software. Any agencies like that cannot collect fines by invading your primate network. It may seem that ICSPA virus removal is not possible due to the screen-locking and all the payment demands, affected functions of the machine.

However, if you choose the right tools, you can terminate this ICSPA virus. It is a highly complicated process, so you should get advanced tools and prepare for serious malware removal. Tools like anti-malware software can get on the machine and find these traces of the malicious programs. Install the AV tool on an external drive and launch it on the infected PC. Make sure to ignore the pop-up virus message and try to not click on anything, so you can at least avoid additional malware infiltration. ICSPA lock-screen malwareICSPA virus is the threat that shows fake messages from the FBI and other institutions. It has different versions in various parts of the world ICSPA virus, also known as the International Cyber Security Protection Alliance virus, is a malicious infection that can easily get on your machine if it's poorly protected. When inside and active, this ransomware blocks the entire system down and then displays its fake alert that reports about various crimes and law violations. Please, don't fall for this scam because governmental organizations don't use such primitive methods when trying to make users pay the fines for them.[2]

It's clear that ICSPA ransomware virus is designed to steal the money from unaware PC users, and it must be removed from the system without any delay. Of course, it won't be as easy as you may expect because this ransomware blocks legitimate applications, including anti-virus and anti-spyware programs. However, keep on reading, and you'll see how you can overcome that.

Once it gets inside, this ransomware locks the desktop and disables the computer's functions without any permission asked. Even more, it replaces PC's screen with an alert that pretends to be from the International Cyber Security Protection Alliance and reports about various crimes, like the use of illegal software or distribution of malware. Please, keep in mind that all this activity is a huge scam that seeks to rip you off, and you should never pay a fine using Ukash or Paysafecard prepayment systems.

Instead of that, you must remove ICSPA virus as soon as possible, and the best option would be to scan the machine using a professional anti-malware tool that is capable of detecting and deleting threats running in the background of the device. You cannot find the payload of such malware manually, so automatic software is helping you.

However, since ICSPA virus itself can affect important settings of the computer and install additional threats to do that, the already infected device can get more damaged. Besides terminating the ransomware, you should also go through those altered parts and repair virus damage. Rely on system software like FortectIntego that can find and repair such parts on your computer. ICSPA ransomware virusICSPA virus is categorized as ransomware because it demands payments from people as any other extortion-based malware would.

Methods used to spread malware around

The particular screen lockers get distributed through the same methods as malware and spyware: threat can be downloaded together with fake updates, media codecs, non-registered software, spam, and through similar ways of distribution that involve files injected with malicious script.

Malicious files can be delivered via spam emails, other notifications sent via the internet to you. In most cases, criminals pose as companies, institutions, or services that people commonly use, so victims fall for the scam and open the email, download the attachment or visit the link added on the email itself.

Unfortunately, the attachment can come in the format of a document, executable, and other typical files that may not raise too many questions. Microsoft documents include macro viruses[3] that trigger the direct drop of the virus script and lead to infection like this immediately. Make sure to ignore any of the emails that you were not expecting to receive, so there is no opportunity for the malware to end up on the PC.

Get rid of the ICSPA ransomware virus as soon as possible

When trying to remove ICSPA virus, you may find that your security features, anti-malware programs, and other system functions are blocked. That's normal because threat changes various settings on the machine to affect the performance significantly. In order to overcome this situation, you should use one of the features that the Windows operating system has.

Before you proceed with the automatic ICSPA virus with an anti-malware tool, reboot the system in Safe Mode with Networking and then run the AV detection program. By doing it this way you can ensure that the virus is not affecting the process, and malware can get detected. We can rely on SpyHunter 5Combo Cleaner or Malwarebytes for such a job.

ICSPA virus can be more persistent and affect other crucial parts of the system, so the victim can't access the needed tools and functions that help terminate the threat or recover the machine. We can recommend getting a PC repair or system optimizer software like FortectIntego since it can find and fix affected files, data in system folders that allow the locker running.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of ICSPA virus. Follow these steps

Manual removal using Safe Mode

Get rid of ICSPA virus and make sure to clean the machine fully by rebooting the system in Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove ICSPA using System Restore

Try System Restore that can help to disable the threat automatically

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of ICSPA. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that ICSPA removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ICSPA and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

Removal guides in other languages