The Ransomware family ‘Reveton’ has been a thorn in the sides of many for over two years. It has employed a dynamic approach by tailoring the malware to specific countries and frequently changing infection methods.
Nevertheless, one thing that remains constant in Reveton is its ability to instill fear in users by accusing them of various illegal activities, and demanding payment for absolution. To this end, Reveton has once again reinvented itself, this time with a contingency plan just in case the user doesn’t pay up.
Now, while Reveton has been on a roller coaster as far as how much they demand from users, they seem to try and maximize on their potential target, rather than how much they think their target will pay.
Sometimes you would see Ransomware that asks for thousands of dollars from small businesses, and other times you will see only $100, a low number that some people might consider paying.
This new version of Reveton takes it a step further and regardless of how much users are willing to pay, or not pay, the bad guys are still getting a profit.
I suppose we all saw this coming, ransomware authors are now posing as the NSA, claiming to be using the PRISM system to identify users performing illegal activities and demanding payment for their system to be unlocked.
This new discovery was found by security researcher Kafeine on his blog, an article labeled “Prism themed ransomware – Kovter evolution.”
The ransomware appears after a user has either executed the malware (via trickery no doubt) or by being hit by a drive-by exploit. After some time, the malware covers the screen and makes it impossible for the user to get around the ransom notice by disabling the Task Manager and forcing the notice to the front of the screen; typical ransomware stuff.
Screenshot courtesy of Kafeine @ Malware Don’t Need Coffee
The success of a malicious attack is determined by several factors including how well it is crafted and what its distribution channel is.
Over the years, we have seen different methods used by the bad guys to deliver their nasty payloads. Social engineering, the art of tricking people into doing certain things, always yields a pretty good return.
Of course, drive-by downloads, where simply browsing to a site results in your computer getting infected, is also a very popular technique.
To add to these two methods, there’s a third one that we could call extortion where the end user has no other choice but comply with the bad guys’ demands.
Did you ever wonder what it looks like when all these techniques are combined? Look no further:
Fake YouTube showing pornographic videos.
We discovered this legitimate website that had been compromised. It pretends to be YouTube, although you will (our should) never see such content on there since it is very explicit material.
Last week we blogged about how Apple’s Mac OS X users are vulnerable to the FBI Ransomware attacks. These social engineering scams come in the form of a stern warning from the FBI stating you have been caught doing something illegal. The user’s machine is then locked and a ransom of $300 must be paid to restore normal access to the computer.
The ransom pages came with two designs based on the victim’s geolocation: FBI or Europol.
Today, I discovered further customizations showing that the bad guys are busy updating their templates for each country’s police force.
The post I wrote about the FBI Ransomware Now Targeting Apple’s Mac OS X users has received a lot of attention. Perhaps it did because we seldom hear about Mac users having to deal with malware – not that it does not happen, because it certainly does – but when it occurs, everyone wants to know about it.
At the end of the day, it still manages to appear as though it did in fact block your computer and will unfortunately be convincing enough to have people fork over several hundred dollars.
Now, let’s answer your questions.