Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    3:47 am (UTC-7)   |    by

    Yes, it does. And depending on where you are located, it can even speak in your mother tongue.

    As discussed in our paper Police Ransomware Update, the people behind police Trojan/Ransomware have implemented improvements to make this threat more effective. Gone are the days when ransomware simply showed a message that users’ systems are “captured” and that they have to pay for a fee to have them back.

    These days, this new breed of ransomware notifies users of the fee (or ransom) under the guise of the victim’s local law enforcement agencies. Thus, a user with a ransomware-infected system from France will get a notification from the Gendarmerie Nationale, while a US-based one will likely receive a message from the FBI.

    To level up the ante, we received a report that a new police Trojan variant even has a “voice”. Detected as TROJ_REVETON.HM, it locks the infected system but instead of just showing a message, it now verbally urges users to pay. The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located.

    From a threat previously limited to Russia, ransomware has now leaped into other European countries, the United States and Canada. Because of the payment method ransomware employs, specifically electronic cash like Ukash, PaySafeCard and MoneyPak, the bad guys behind this threat generate profit from it but with the benefit of a faint money trail. As such, the gangs profiting from this malware can hide their tracks easily. To know more about ransomware, below are some of the posts we’ve published about this malware:

    TROJ_REVETON.HM, unfortunately, is possibly just the tip of the iceberg. It’s not a stretch to say that we can expect further improvements for this malware: possibly a singing ransomware in the near future?

    Trend Micro Smart Protection Network protects users from this threat by detecting and deleting ransomware variants if found in the user’s sytem. As an added precaution, users should refrain from downloading files from unknown URLs or from opening file or links contained in dubious-looking email messages.

    With additional insights from Security Evangelist Ivan Macalintal

    Update as of December 10, 2012 4:00 PM PST

    Further analysis of the malware also reveals that it connects to specific URLs to send and receive information from a remote user. Furthermore, it downloads an encrypted .DLL file and WAVE file and saved it as %System Root%\Documents And Settings\All Users\Application Data\{reversed filename.pad}. The said .PAD file is responsible for locking the screen.

    Unlike previous ransomware variants that encrypt files, Reveton locks the machine and informs users about a law violation. During our investigation, older variants were seen to drop only the executable file that locks the screen. However, newer variants like TROJ_REVETON.HM include the wave file responsible for the ‘sound.’

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • cman

      1. go into safe mode
      2. delete anything in the “Startup” folder in your start menu
      3. run a scan with any trusted antivirus (malwarebytes, norton etc)
      4. restart

      just a quick fix

    • Chasity Leadingham

      i have the virus on my computer right now and i dont know how
      to remove it

    • Michael

      How do removeit from a laptop. I cannot use safe mode with internet as the malware will shut down the computer in safe mode.

    • Shawn

      How do u remove from laptop

    • MLP


    • Salman Ahmed

      lol people are so stupid. fbi will never ask for your money . and they will never let you know that your computer is blocked .they will throw you in jail if the charge is real .

    • Kenko

      I have been infected with the same kind of malware but with different warning screen. It disguises itself as FBI and warns us that we have violated some rules. It freaks me out at first so i tried to search on the internet and found some references like this. Great work antimalware guys.

      • Craig Queenan

        I had one of these infect my wifes computer. It was a DOJ moneypack virus but it also took control of the laptops webcam and started “snapping pictures” of the person who supposedly violated the terms.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice