Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Reveton Malware Freezes PCs, Demands Payment

FBI warns of Reveton 'ransomware' scam that freezes Windows PCs, accuses you of a crime, and requests you pay fines to unlock computer.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Has your Windows PC frozen up, displaying a lock screen with warnings from the FBI that the PC has been used to illegally access or distributed copyrighted material, or "prohibited pornographic content"?

If so, then you're likely dealing with "ransomware" known as Reveton, which freezes PCs and opens a window telling people that if they want to regain control, they'll need to pay a "fine" via a prepaid money card service. Helpfully, a "pay MoneyPak" code-entry box is even helpfully included on the lock screen. But unlocking a Reveton-infected PC can be difficult, owing to the malware often being deployed in conjunction with other malware that's designed to block users from accessing security websites.

The FBI last week issued a warning that the number of Reveton infections has recently been surging. "We're getting inundated with complaints," said Donna Gregory, a manager at the Internet Crime Complaint Center (IC3), which is a joint effort between the FBI and the National White Collar Crime Center, in a statement. "Some people have actually paid the so-called fine," she said, noting that amounts of $200 aren't uncommon.

[ Learn how to deal with another important security problem. Read 5 Ways To Solve The Password Reset Problem. ]

"Instructions were given on how to load the card and make the payment," one victim of the scam wrote in an emailed complaint to the IC3. "The page said if the demands were not met, criminal charges would be filed and my computer would remain locked on that screen."

Some versions of the scam pretend to be from the FBI, while others list the Department of Justice's Computer Crime and Intellectual Property Section as being behind the freeze. Regardless, the warning notices are heavy on the legalese, accusing PC owners of everything from "violating Article 202 of the Criminal Code" to distributing child pornography. According to the FBI, some versions of Reveton even "turn on computer webcams and display the victim's picture on the frozen screen."

Most Reveton infections also seem to be the result of "drive-by viruses," said the FBI, referring to PCs being infected via known vulnerabilities when they visit a compromised website, rather than through phishing attacks or tricking users into opening malicious email attachments.

The Reveton ransomware is typically delivered via Citadel Trojan malware, according to the FBI's warning. Based on the Zeus malware, Citadel is an all-purpose crimeware kit designed for financial fraud, which debuted on Russian underground hacking websites in December 2011 and sells for $2,500, although plug-ins for adding additional capabilities, as well as a monthly malware-as-a-service update, cost extra.

Citadel's creators have seen rapid uptake of their malware, reportedly owing to high-quality customer service practices, such as frequent updates that add customer-requested capabilities. These include AES encryption to help hide communications between infected "zombie" PCs and its command-and-control server, capabilities for defeating botnet-tracking services, and blocks that stop infected PCs from visiting security vendors' websites or antivirus-signature updating sites.

But according to a July 2012 blog post from a fraud research group at security firm RSA, thanks to law enforcement pressure, Citadel's developer has announced that he's withdrawing the malware from the open--albeit underground--market. "It appears that soon enough only existing customers will continue to enjoy Citadel Trojan upgrades and those wishing to purchase a new kit from the outside will have to get a current customer to vouch for them or be denied the product altogether," according to RSA.

Not everyone, however, is buying the bureau's assertion that Citadel is being used to distribute Reveton. According to security journalist Brian Krebs, a team of Reveton-tracking researchers instead suspects that scammers are using exploit toolkits such as BlackHole to infect PCs with both types of malware.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
8/16/2012 | 8:29:55 AM
re: Reveton Malware Freezes PCs, Demands Payment
Thanks for the comment, EJW. What people can do is be aware. In case of infection, the FBI's advice was essentially to seek out a computer professional for help, and that's good counsel. Run antivirus software in the first place. But mostly, be aware of these types of scams.
FUD? More, I think the FBI saying: "Please stop calling us about this ransomware, it's not really from us." And a cautionary note that people shouldn't pay up in these attacks. The continued existence of these types of attacks suggests that they're succeeding often enough to be profitable.
-- Mathew Schwartz
EJW
50%
50%
EJW,
User Rank: Apprentice
8/15/2012 | 5:46:30 PM
re: Reveton Malware Freezes PCs, Demands Payment
So what are we supposed to do about it?

What can we do other than the apply "generic" security practice?

Otherwise all this does is generate more FUD
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13100
PUBLISHED: 2020-10-26
Arista’s CloudVision eXchange (CVX) server before 4.21.12M, 4.22.x before 4.22.7M, 4.23.x before 4.23.5M, and 4.24.x before 4.24.2F allows remote attackers to cause a denial of service (crash and restart) in the ControllerOob agent via a malformed control-plane packet.
CVE-2020-25470
PUBLISHED: 2020-10-26
AntSword 2.1.8.1 contains a cross-site scripting (XSS) vulnerability in the View Site funtion. When viewing an added site, an XSS payload can be injected in cookies view which can lead to remote code execution.
CVE-2020-7751
PUBLISHED: 2020-10-26
This affects all versions of package pathval.
CVE-2020-27678
PUBLISHED: 2020-10-26
An issue was discovered in illumos before 2020-10-22, as used in OmniOS before r151030by, r151032ay, and r151034y and SmartOS before 20201022. There is a buffer overflow in parse_user_name in lib/libpam/pam_framework.c.
CVE-2020-27388
PUBLISHED: 2020-10-23
Multiple Stored Cross Site Scripting (XSS) vulnerabilities exist in the YOURLS Admin Panel, Versions 1.5 - 1.7.10. An authenticated user must modify a PHP plugin with a malicious payload and upload it, resulting in multiple stored XSS issues.