Last week we wrote about a sudden hike in crypto-ransomware variants across the Europe, the Middle East and Africa (EMEA) region, specifically seen in Spain, France, Turkey, Italy, and the United Kingdom. In this blog post we will discuss another strain of ransomware known as REVETON, which was seen infecting systems in the United States with a new infection method: arriving as a .DLL versus the traditional .EXE.
REVETON Making a Comeback (Yet Again)
Over the past few months spanning October up to the last weeks of November, we observed a noticeable increase in REVETON malware variants, in particular, TROJ_REVETON.SM4 and TROJ_REVETON.SM6.
Earlier this year, we reported a sudden wave in malware in the form of mobile ransomware, which appeared to originate from the same Reveton cybercriminal group. Some groups may have expanded their efforts into creating new infection methods as seen in the recent increase and expansion to other regions.
The fact that REVETON is making a comeback (again) is a bit surprising, considering that crypto-ransomware has become the dominant ransomware strain in the landscape. REVETON and other PC-locking ransomware often rely on social engineering in order to convince users that they need to pay a fee.
Old Tactics, But New Infection Methods for REVETON
Similar to older REVETON or police ransomware variants, the recent wave of REVETON malware variants detected as TROJ_REVETON.SM4 and TROJ_REVETON.SM6 are both equipped with the capability to lock the screen of the affected users’ systems.
Its behavior rings similar to previous REVETON variants, which threaten users that they need to pay their local police a fine. In these new samples, the REVETON malware displays “warning” messages from the Homeland Security National Cyber Security Division and the ICE Cyber Crime Center informing users that their computer has been blocked for the reason that “the work of your (the user’s) computer has been suspended on the grounds of unauthorized cyber activity.”
Below is the warning message along with a MoneyPak form to transfer the payment of $300 USD. The message also warns users that they have only 48 hours to pay the fine.
Figure 1. Fake warning messages from Homeland Security and the ICE Cyber Crime Center