Vulnerabilities / Threats
01:02 PM

Ransomware Pays: FBI Updates Reveton Malware Warning

Latest malware, trying to trick users into paying a fine, claims the FBI is using audio, video, and other devices to record computer's "illegal" activity.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Can people pay a fine online, avoid the threat of prosecution by the FBI, and unlock their locked PC all in one go?

That's the offer made by a "Threat of Prosecution Reminder" that's been flashing on numerous PC screens, which says that the FBI has locked the PC after finding evidence that the computer has been used to access child pornography or other illegal content. The latest version of this notice says that "all activity on this computer is being recorded using audio, video, and other devices." But users are offered a way to pay the related fine being levied, immediately unlock their PC, and see the whole matter immediately dismissed.

The warning, however, is just a setup. "This is not a legitimate communication from the IC3, but rather is an attempt to extort money from the victim," according to an advisory released last week by the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center. "If you have received this or something similar do not follow payment instruction."

[ How effective is anti-virus software? Antivirus Tool Fail: Blocking Success Varies By 58%. ]

The extortion part of the scam -- now also featured on the FBI's list of e-scams -- is facilitated by a malicious application known as Reveton, which according to antivirus vendor F-Secure "fraudulently claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machine, demanding that a 'fine' must be paid to restore normal access." Machines are typically infected with Reveton via malicious websites -- using drive-by download attacks launched by Citadel crimeware -- rather than being introduced via phishing attacks or malicious email attachments.

"To unlock the computer, the user is instructed to pay a fine using prepaid money card services," according to the IC3. "The geographic location of the user's PC determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud."

Don't pay the bogus fine, but do seek help when removing Reveton. "Manual disinfection is a risky process; it is recommended only for advanced users," says F-Secure. If a PC has been infected, also don't rely on any antivirus software that's already been installed, as "some variants of [Reveton] may make lasting changes to your computer that make it difficult for you to download, install, run, or update your virus protection," states a Microsoft malware advisory.

Numerous Reveton-driven ransomware campaigns have been seen this year, localized not just for residents of the United States but also for Finland, Ireland, Germany, and other parts of Europe. The FBI previously released an alert about the Reveton malware in August, with IC3 manager Donna Gregory saying, "We're getting inundated with complaints," and noting that fine payments of $200 didn't seem to be uncommon.

Given the FBI's new warning, PC users obviously haven't been getting the message about the scam. The latest version of Reveton also contains a variation on the previous social-engineering attack. "In addition to instilling a fear of prosecution, this version of the malware also claims that the user's computer activity is being recorded using audio, video, and other devices," according to the IC3.

Unfortunately, any PC infected with Reveton faces further problems, as the malware is delivered by the Citadel malware toolkit, which does in fact include the ability to record whatever users are doing on their PC screen, typically for the purposes of committing "online banking and credit card fraud," according to the IC3.

The latest version of the Russian-language Citadel malware, unveiled earlier this month, includes other advanced capabilities too, such as grabbing passwords from Firefox and Chrome, or using Web injection to modify code on targeted websites, potentially allowing them to trick users into divulging their log-in credentials. Citadel is one of a number of well-known financial malware crimeware toolkits, such as Blackhole, Crisis, SpyEye and Zeus, which include command-and-control software that allows the botmaster to easily relay data from compromised, or zombie machines. The compromised machines can also be used as relays in spam networks or nodes in a larger distributed denial-of-service campaign.

Why do criminals bother with ransomware? Simply put, because such attacks seem to pay. Symantec security researchers Gavin O'Gorman and Geoff McDonald recently studied 68,000 PCs that had been compromised by ransomware in the space of a month, and found that attackers' haul could have been $400,000. One recent 18-day Reveton attack, meanwhile, had attempted to infect 500,000 PCs. "Given the number of different gangs operating ransomware scams, a conservative estimate is that over $5 million a year is being extorted from victims," wrote the researchers in a related report. "The real number is, however, likely much higher."

Faster networks are coming, but security and monitoring systems aren't necessarily keeping up. Also in the new, all-digital Data Security At Full Speed special issue of InformationWeek: A look at what lawmakers around the world are doing to add to companies' security worries. (Free registration required.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
12/17/2012 | 8:26:54 AM
re: Ransomware Pays: FBI Updates Reveton Malware Warning
Keeping up on list of IT scams I am sure would help you in a situation like this. Sounds like nasty malware tough, allowing its self to monitor audio and video, and even pull your browser passwords and such. It did not really go int o detail abut how to get rid of it, is there a easier way or should I say free way or do I have to pay a fee somewhere to have it removed, ironic huh?

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.