Last week we wrote about a sudden hike in crypto-ransomware variants across the Europe, the Middle East and Africa (EMEA) region, specifically seen in Spain, France, Turkey, Italy, and the United Kingdom. In this blog post we will discuss another strain of ransomware known as REVETON, which was seen infecting systems in the United States with a new infection method: arriving as a .DLL versus the traditional .EXE.
REVETON Making a Comeback (Yet Again)
Over the past few months spanning October up to the last weeks of November, we observed a noticeable increase in REVETON malware variants, in particular, TROJ_REVETON.SM4 and TROJ_REVETON.SM6.
Earlier this year, we reported a sudden wave in malware in the form of mobile ransomware, which appeared to originate from the same Reveton cybercriminal group. Some groups may have expanded their efforts into creating new infection methods as seen in the recent increase and expansion to other regions.
The fact that REVETON is making a comeback (again) is a bit surprising, considering that crypto-ransomware has become the dominant ransomware strain in the landscape. REVETON and other PC-locking ransomware often rely on social engineering in order to convince users that they need to pay a fee.
Old Tactics, But New Infection Methods for REVETON
Similar to older REVETON or police ransomware variants, the recent wave of REVETON malware variants detected as TROJ_REVETON.SM4 and TROJ_REVETON.SM6 are both equipped with the capability to lock the screen of the affected users’ systems.
Its behavior rings similar to previous REVETON variants, which threaten users that they need to pay their local police a fine. In these new samples, the REVETON malware displays “warning” messages from the Homeland Security National Cyber Security Division and the ICE Cyber Crime Center informing users that their computer has been blocked for the reason that “the work of your (the user’s) computer has been suspended on the grounds of unauthorized cyber activity.”
Below is the warning message along with a MoneyPak form to transfer the payment of $300 USD. The message also warns users that they have only 48 hours to pay the fine.
Figure 1. Fake warning messages from Homeland Security and the ICE Cyber Crime Center
The samples we’ve spotted over the past few month exhibit the same behaviors as previous REVETON variants, except that this new wave arrives as a .DLL file instead of an executable file. The difference here is that a user whose system is infected by any of these recent REVETON malware variants won’t easily suspect that there’s a malicious application running in the system via Task Manager. Instead the user sees regsvr32 or rundll32, which is a common means of running the .DLL file as if it were a program.
Data from the Trend Micro™ Smart Protection Network™ shows that the healthcare industry seems to be the most affected industry by this malware and mostly centered in the United States, followed by Australia. Below is a ranking of most affected countries by this new wave of REVETON malware spanning October to November 2014.
Figure 2. Data from the Smart Protection Network for TROJ_REVETON.SM4 and TROJ_REVETON.SM6 for October – November 2014
Police Ransomware Still Persistent Despite Old Tactics
Police ransomware had long been a tried and tested tactic in the European region with fake police warnings written in German, Spanish, Italian, French, from various “law enforcement agencies.” It’s interesting to note that this time around, police ransomware or the REVETON malware branched out to target more systems in the United States as the bad guys have seemingly perfected their wares for a much larger market, which of course include users who are not familiar with these PC-locking scams.
The recent REVETON hike could imply that the old gang are still around, or that the original infrastructure is still up and being used by another group trying to scrape up “money left on the table.” These groups appear to target the subset of users who have no idea how to use digital currency (read: Bitcoin, etc.) and are more familiar with the traditional MoneyPak transfer.
Dealing with Police Ransomware
It might be jarring for users to suddenly receive a message supposedly sent by law enforcement agencies. However, they need to keep in mind that this is just a tactic intended to “scare” users into paying the fee. Users might also be tempted to pay the ransom to get their computers up and running once again. Unfortunately, there is no guarantee that paying the ransom will result in having the computer screen unlocked. Paying the ransom will only guarantee more money going into the pockets of cybercrooks.
Ransomware can arrive to computers in different methods so it pays to be vigilant and to keep devices protected, starting with the proper security software. Security software should not only detect and block ransomware but also other malware that may drop the different variants.
Some ransomware variants arrive as attachments of spammed messages. As such, users should be wary of opening emails and attachments, especially those that come from unverified sources. If the email appears to come from a legitimate source (read: banks and other institutions), users should verify the email with the bank. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as friends or family members may be victims of spammers as well.
With additional insights from David Sancho and Jamz Yaneza