The Reveton worm is a form of ransomware that continues to evolve since it was first unleashed across Europe in 2012. Like most ransomware, Reveton worm first infects a computer and makes itself known to the user by locking him or her out of the system and displaying a screen that appears to be from a law enforcement agency. The Reveton worm attempts to scare its victims by then displaying a notice that claims that the user has committed a crime—usually downloading or using pirated software or keeping child pornography on the user’s computer. Reveton worm is also known to take over its victims’ webcams and scare victims into believing that they are being recorded by the police.
In the UK, the display on the webcam’s screen appeared to be coming from organizations such as the copyright organization PRS for Music, London’s Metropolitan Police Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi Institutt for Cybercrime, and so on. The exact “crime” and “law enforcement agency” shown to the victims are tailored to the user’s locality. Reveton tells victims to unlock their computers, and the victims then must pay the appropriate fine using a service such as Ukash, Paysafe or MoneyPak.
A version of the Reveton worm began targeting victims in the US and Canada in July 2012, and notices shown to victims claimed to be from the FBI’s Internet Crime Complaint Center (IC3).
In July 2013 a version of Reveton began targeting OSX Mac users, but using a different method. This version of Reveton uses JavaScript to load numerous iframes and it requires victims to close each one. Messages on the opening windows inform users that they have violated various laws and that their computer has been locked because of this. The messages also state that, to unlock the computer and to avoid legal issues, victims must pay a $300 fine via a prepaid money card. Attempts to close the warning page result in additional messages that reappear each time victims try to close their web browsers. Cyber criminals use “FBI.gov” within the URL to make the warning appear more legitimate. These cyber criminals anticipate that victims will pay the requested ransom before they realize that all iframes need to be closed.
Reveton worm on OSX is pretty simple to remove: it just requires the user to click on the Safari menu and choose “Reset Safari,” and then, to make sure all checkboxes are selected. Victims can also disable the reopening feature across OSX from the General pane of System Preferences.
As the Reveton ransomware continues to evolve, it also continues to find different ways to infect PCs and gather information from victims. In August 2014 Reveton ransomware began using a very powerful password stealer called Pony Stealer. Pony Stealer allows Reveton to steal passwords from 5 crypto currency wallets, and it initially targeted German banks. Pony Stealer is very advanced and it can gain access and decrypt or unlock passwords for FTP, VPN, email, web browsers and instant messaging programs, allowing the program to use infected PCs as botnet clients.
