Severity scale:  

Remove ICSPA virus (Free Guide) - updated Feb 2020

removal by Olivia Morelli - - | Type: Ransomware

ICSPA virus is the threat that uses false law enforcement agency messages to scare people into paying the demanded amount

ICSPA virusICSPA virus – the threat based on extortion that falls into the category of ransomware because of that. This virus is almost identical to CashU or Ukash malware because it demands victims to pay the fine for false, illegal activities. It can be spotted in many countries all over the world, so the particular institution that extorts money differs from version to version. The main fact that the message asking you to pay fine via GreeDot, Moneypak, Ukash, or other platforms appears on the computer when the screen gets locked. Often this lock-screen malware is triggered by the trojan infection or another virus like Reveton. These facts make the threat even more dangerous and persistent since many activities are revolving on the trojan and its malicious behavior.

ICSPA ransomware virus also gets distributed via other methods like malicious websites or hacked domains, exploit kits, and malicious files that include the payload of this virus. Spam emails often are the ones that deliver infected files to victims and lead to infections like this. Once such a script is installed on the system, the malware displays a bogus notification and states that the computer is blocked due to the content you visited or other illegal activities that you allegedly are guilty of. The screen becomes locked, and it is not the easiest thing to exit the window and get back to a normal working machine, so you need to react as soon as possible and somehow terminate this program.

Name ICSPA virus
Type  Screen-locker, ransomware[1]
Symptoms  The screen gets locked and delivers a questionable notification from a law enforcement agency or other institution that claims that you have done something illegal. Therefore, you need to pay a particular fine. This message encourages people to pay using online payment platforms, or your device gets permanently blocked
Danger  The extortion-based threat asks for money transfers, so people can lose huge amounts of money if they decide to pay up. Machines can get the damaged during the time when the screen is fully locked by the processes happening in the background
Tactics  Scaring people into paying up to hundreds or even thousands of dollars with all the false claims of illegal actions 
Known since  2014 or even earlier
Distribution  Throughout the years of existence, this virus was distributed with the help of trojans, other malware, malicious sites, hacked domains, and infected files attached to emails
Elimination  ICSPA virus removal process should be quick and successful if you use proper anti-malware tools and terminate the malware automatically
Repair  When the screen is locked by the virus other processes can be launched, including damaging activities, so get Reimage Reimage Cleaner Intego or a similar tool that should find and fix virus damage for you

ICSPA virus will lock your screen and the computer itself, so it blocks any access to the operating system, applications, and features. You need to log in on the machine to do anything, so Safe Mode is the way to go. By rebooting the OS in Safe Mode, you ensure that the computer is not controlled by the malware.

However, it may not be possible and instead of normal Windows boot you receive the same lock screen with the following or a similar ICSPA virus ransom-demanding message:

ICSPA International Cyber Security Protection Alliance

U.S. Department of Justice – Office of Justice Programs 

ATTENTION! YOUR COMPUTER HAS BEEN LOCKED BY ICSPA. All activities of this computer have been recorded. The recent actions performed on this computer have been recorded and analysed. Due to evidence of illegal activity found on this computer (“Downloading and distribution of illegal content – illegal Pornography”), this computer has been locked. Read the Important Information below.

The penalty set (“$400 – US dollars”) must be paid within 48 hours of this notice. On expiration of the term, 48 hours that follow will be used for automatic collection of data on yourself and your misconduct, and criminal case will be opened against you. 

You are accused of viewing/storage and/or dissemination of banned pornography (child pornography/zoophilia/rape etc.) You have violated World Declaration of non-proliferation of child pornography. You are accused of committing the crime envisaged by Article 161 of United States of America criminal law. 

Article 161 of United States of America criminal law provides for the punishment of deprivation of liberty for terms from 5 to 11 years.

Also, your are suspected for violation of “Copyright and Related rights Law” (downloading of pirated music, video, warez) and of use and/or dissemination of copyrighted content. Thus, you are suspected of violation of Article 148 of United States of America criminal law.

Article 148 of United States of America criminal law provides for the punishment of deprivation of liberty for terms from 3 to 7 years or 150 to 550 basic amounts fine.

The illegal actions that have been recorded on this computer (“Downloading and distribution of illegal content – Illegal Pornography”) could have been actioned by yourself purposely, or without your knowledge and consent, provided your computer could have been affected by malware. Consequently , you are suspected – until the investigation is held – of innocent infringement of Article 215 of United States of America criminal law (“Law on negligent and reckless disregard of computers and computer aids”).

Please note, that personal identities of users who are suspected of committing the illegal actions on this computer have been identified and the evidential data has been recorded. The criminal case can be opened in course of 96 hours as of commission of crimes per above Articles. Criminal case can be submitted to court.

However, pursuant to Amendments to the United States of America criminal law dated January 14, 2015, and according to Declaration of Human Rights, you disregard of law may be interpreted as unintended (if you had no incidents before) and no arraignment will follow. However, it is a matter of whether you have paid the fine to the Treasury (to the effect of initiatives aimed at protection of cyberspace).

Current status: “Case can be classified as occasional/unmotivated, according to 17 (U.S Code) 512. Subject to a fine ($400 – US dollars).” – this case can be closed without prosecution. The computer will be unlocked automatically.

The message can be written in an appropriate language and target victims in a specific area, so it seems more legitimate and scary. However, you are not charged for any of those claims like visiting pornographic content sites or downloading pirated software. Any agencies like that cannot collect fines by invading your primate network. It may seem that ICSPA virus removal is not possible due to the screen-locking and all the payment demands, affected functions of the machine. 

However, if you choose the right tools, you can terminate this ICSPA virus. It is a highly complicated process, so you should get advanced tools and prepare for serious malware removal. Tools like anti-malware software can get on the machine and find these traces of the malicious programs. Install the AV tool on an external drive and launch it on the infected PC. Make sure to ignore the pop-up virus message and try to not click on anything, so you can at least avoid additional malware infiltration.  ICSPA lock-screen malwareICSPA virus is the threat that shows fake messages from the FBI and other institutions. It has different versions in various parts of the world ICSPA virus, also known as the International Cyber Security Protection Alliance virus, is a malicious infection that can easily get on your machine if it's poorly protected. When inside and active, this ransomware blocks the entire system down and then displays its fake alert that reports about various crimes and law violations. Please, don't fall for this scam because governmental organizations don't use such primitive methods when trying to make users pay the fines for them.[2]

It's clear that ICSPA ransomware virus is designed to steal the money from unaware PC users, and it must be removed from the system without any delay. Of course, it won't be as easy as you may expect because this ransomware blocks legitimate applications, including anti-virus and anti-spyware programs. However, keep on reading, and you'll see how you can overcome that.

Once it gets inside, this ransomware locks the desktop and disables the computer's functions without any permission asked. Even more, it replaces PC's screen with an alert that pretends to be from the International Cyber Security Protection Alliance and reports about various crimes, like the use of illegal software or distribution of malware. Please, keep in mind that all this activity is a huge scam that seeks to rip you off, and you should never pay a fine using Ukash or Paysafecard prepayment systems.

Instead of that, you must remove ICSPA virus as soon as possible, and the best option would be to scan the machine using a professional anti-malware tool that is capable of detecting and deleting threats running in the background of the device. You cannot find the payload of such malware manually, so automatic software is helping you. 

However, since ICSPA virus itself can affect important settings of the computer and install additional threats to do that, the already infected device can get more damaged. Besides terminating the ransomware, you should also go through those altered parts and repair virus damage. Rely on system software like Reimage Reimage Cleaner Intego that can find and repair such parts on your computer.  ICSPA ransomware virusICSPA virus is categorized as ransomware because it demands payments from people as any other extortion-based malware would.

Methods used to spread malware around

The particular screen lockers get distributed through the same methods as malware and spyware: threat can be downloaded together with fake updates, media codecs, non-registered software, spam, and through similar ways of distribution that involve files injected with malicious script.

Malicious files can be delivered via spam emails, other notifications sent via the internet to you. In most cases, criminals pose as companies, institutions, or services that people commonly use, so victims fall for the scam and open the email, download the attachment or visit the link added on the email itself.

Unfortunately, the attachment can come in the format of a document, executable, and other typical files that may not raise too many questions. Microsoft documents include macro viruses[3] that trigger the direct drop of the virus script and lead to infection like this immediately. Make sure to ignore any of the emails that you were not expecting to receive, so there is no opportunity for the malware to end up on the PC. 

Get rid of the ICSPA ransomware virus as soon as possible

When trying to remove ICSPA virus, you may find that your security features, anti-malware programs, and other system functions are blocked. That's normal because threat changes various settings on the machine to affect the performance significantly. In order to overcome this situation, you should use one of the features that the Windows operating system has.

Before you proceed with the automatic ICSPA virus with an anti-malware tool, reboot the system in Safe Mode with Networking and then run the AV detection program. By doing it this way you can ensure that the virus is not affecting the process, and malware can get detected. We can rely on SpyHunter 5Combo Cleaner or Malwarebytes for such a job.

ICSPA virus can be more persistent and affect other crucial parts of the system, so the victim can't access the needed tools and functions that help terminate the threat or recover the machine. We can recommend getting a PC repair or system optimizer software like Reimage Reimage Cleaner Intego since it can find and fix affected files, data in system folders that allow the locker running.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove ICSPA virus, follow these steps:

Remove ICSPA using Safe Mode with Networking

Get rid of ICSPA virus and make sure to clean the machine fully by rebooting the system in Safe Mode

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove ICSPA

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete ICSPA removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove ICSPA using System Restore

Try System Restore that can help to disable the threat automatically

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of ICSPA. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that ICSPA removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from ICSPA and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions


Removal guides in other languages

  1. david says:
    March 4th, 2013 at 7:07 pm

    These people actually have a (fake) website all about the ICSPA.Dont go here because McCaffee (our anti virus software l) dosent even know about heaven it… dont go there

  2. sam says:
    August 5th, 2015 at 9:13 am

    my HTC is locked up How can I fix it?

  3. david says:
    March 4th, 2013 at 7:08 pm

    ignore “heaven”

  4. jesse says:
    June 1st, 2014 at 4:35 pm

    How do you remove it on android?
    – email me soon please its locked down my tablet….

  5. j says:
    August 3rd, 2014 at 6:49 pm

    Did you get it removed?

  6. steve says:
    July 30th, 2014 at 2:40 am

    my android phone is locked from icspa virus please help asap

  7. j says:
    August 3rd, 2014 at 6:48 pm

    Did you get it removed?

  8. kyle says:
    August 13th, 2014 at 1:18 am

    my android phone is locked from this icspa virus can anyone tell me how to unlock it

  9. ivy says:
    August 22nd, 2014 at 12:28 pm

    It got my phone too. I need help

  10. ramesh kumar says:
    March 22nd, 2016 at 3:18 am

    my mobile is icspa lock pls help me

  11. andrew lilly says:
    June 29th, 2016 at 10:51 am

    my phone has the icspa virus got it in safe mode but comes with no location found so cant get into it properly. can you use your phone to make calls if it is in safe mode.

Your opinion regarding ICSPA virus