The Reveton worm is a form of ransomware that continues to evolve since it was first unleashed across Europe in 2012. Like most ransomware, Reveton worm first infects a computer and makes itself known to the user by locking him or her out of the system and displaying a screen that appears to be from a law enforcement agency. The Reveton worm attempts to scare its victims by then displaying a notice that claims that the user has committed a crime—usually downloading or using pirated software or keeping child pornography on the user’s computer. Reveton worm is also known to take over its victims’ webcams and scare victims into believing that they are being recorded by the police.
In the UK, the display on the webcam’s screen appeared to be coming from organizations such as the copyright organization PRS for Music, London’s Metropolitan Police Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi Institutt for Cybercrime, and so on. The exact “crime” and “law enforcement agency” shown to the victims are tailored to the user’s locality. Reveton tells victims to unlock their computers, and the victims then must pay the appropriate fine using a service such as Ukash, Paysafe or MoneyPak.
A version of the Reveton worm began targeting victims in the US and Canada in July 2012, and notices shown to victims claimed to be from the FBI’s Internet Crime Complaint Center (IC3).
Reveton worm on OSX is pretty simple to remove: it just requires the user to click on the Safari menu and choose “Reset Safari,” and then, to make sure all checkboxes are selected. Victims can also disable the reopening feature across OSX from the General pane of System Preferences.
As the Reveton ransomware continues to evolve, it also continues to find different ways to infect PCs and gather information from victims. In August 2014 Reveton ransomware began using a very powerful password stealer called Pony Stealer. Pony Stealer allows Reveton to steal passwords from 5 crypto currency wallets, and it initially targeted German banks. Pony Stealer is very advanced and it can gain access and decrypt or unlock passwords for FTP, VPN, email, web browsers and instant messaging programs, allowing the program to use infected PCs as botnet clients.