Vulnerabilities / Threats
01:02 PM
Connect Directly

Ransomware Pays: FBI Updates Reveton Malware Warning

Latest malware, trying to trick users into paying a fine, claims the FBI is using audio, video, and other devices to record computer's "illegal" activity.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Can people pay a fine online, avoid the threat of prosecution by the FBI, and unlock their locked PC all in one go?

That's the offer made by a "Threat of Prosecution Reminder" that's been flashing on numerous PC screens, which says that the FBI has locked the PC after finding evidence that the computer has been used to access child pornography or other illegal content. The latest version of this notice says that "all activity on this computer is being recorded using audio, video, and other devices." But users are offered a way to pay the related fine being levied, immediately unlock their PC, and see the whole matter immediately dismissed.

The warning, however, is just a setup. "This is not a legitimate communication from the IC3, but rather is an attempt to extort money from the victim," according to an advisory released last week by the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center. "If you have received this or something similar do not follow payment instruction."

[ How effective is anti-virus software? Antivirus Tool Fail: Blocking Success Varies By 58%. ]

The extortion part of the scam -- now also featured on the FBI's list of e-scams -- is facilitated by a malicious application known as Reveton, which according to antivirus vendor F-Secure "fraudulently claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machine, demanding that a 'fine' must be paid to restore normal access." Machines are typically infected with Reveton via malicious websites -- using drive-by download attacks launched by Citadel crimeware -- rather than being introduced via phishing attacks or malicious email attachments.

"To unlock the computer, the user is instructed to pay a fine using prepaid money card services," according to the IC3. "The geographic location of the user's PC determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud."

Don't pay the bogus fine, but do seek help when removing Reveton. "Manual disinfection is a risky process; it is recommended only for advanced users," says F-Secure. If a PC has been infected, also don't rely on any antivirus software that's already been installed, as "some variants of [Reveton] may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection," states a Microsoft malware advisory.

Numerous Reveton-driven ransomware campaigns have been seen this year, localized not just for residents of the United States but also for Finland, Ireland, Germany, and other parts of Europe. The FBI previously released an alert about the Reveton malware in August, with IC3 manager Donna Gregory saying, "We're getting inundated with complaints," and noting that fine payments of $200 didn't seem to be uncommon.

Given the FBI's new warning, PC users obviously haven't been getting the message about the scam. The latest version of Reveton also contains a variation on the previous social-engineering attack. "In addition to instilling a fear of prosecution, this version of the malware also claims that the user's computer activity is being recorded using audio, video, and other devices," according to the IC3.

Unfortunately, any PC infected with Reveton faces further problems, as the malware is delivered by the Citadel malware toolkit, which does in fact include the ability to record whatever users are doing on their PC screen, typically for the purposes of committing "online banking and credit card fraud," according to the IC3.

The latest version of the Russian-language Citadel malware, unveiled earlier this month, includes other advanced capabilities too, such as grabbing passwords from Firefox and Chrome, or using Web injection to modify code on targeted websites, potentially allowing them to trick users into divulging their log-in credentials. Citadel is one of a number of well-known financial malware crimeware toolkits, such as Blackhole, Crisis, SpyEye and Zeus, which include command-and-control software that allows the botmaster to easily relay data from compromised, or zombie machines. The compromised machines can also be used as relays in spam networks or nodes in a larger distributed denial-of-service campaign.

Why do criminals bother with ransomware? Simply put, because such attacks seem to pay. Symantec security researchers Gavin O'Gorman and Geoff McDonald recently studied 68,000 PCs that had been compromised by ransomware in the space of a month, and found that attackers' haul could have been $400,000. One recent 18-day Reveton attack, meanwhile, had attempted to infect 500,000 PCs. "Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million a year is being extorted from victims," wrote the researchers in a related report. "The real number is, however, likely much higher."

Faster networks are coming, but security and monitoring systems aren't necessarily keeping up. Also in the new, all-digital Data Security At Full Speed special issue of InformationWeek: A look at what lawmakers around the world are doing to add to companies' security worries. (Free registration required.)

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
12/17/2012 | 8:26:54 AM
re: Ransomware Pays: FBI Updates Reveton Malware Warning
Keeping up on list of IT scams I am sure would help you in a situation like this. Sounds like nasty malware tough, allowing its self to monitor audio and video, and even pull your browser passwords and such. It did not really go int o detail abut how to get rid of it, is there a easier way or should I say free way or do I have to pay a fee somewhere to have it removed, ironic huh?

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.