United States Cyber Security Ransomware Scam

In this blog post, I would like to introduce one variant of the widely spread malware family, often detected by avast! as "Reveton." Reveton is classified as ransomware; a program which locks your computer and expects an action, usually the payment of money. Unless the desired amount of money is paid or the malicious application is removed, you cannot do anything with your computer.

In the screenshot below (figure 1), you can see an example of the fake United States Cyber Security notice. Cybercrooks cleverly try to convince the user that activities which violate the law have been detected on his computer. In the sample we analyzed, the user is being accused of illegally downloading and distributing copyrighted contents.

Figure 1

To mimic a realistic look, the United States Cyber Authority logo as well as basic information about the user's location (IP, Location, IPS) are shown in the upper left corner. A black and white image resembling a web camera is shown in the upper right corner. This creates a feeling that the user is being watched by authorities right now via an integrated web camera. Most computers nowadays have integrated web cameras, however, at the computer where our analysis was performed, no web camera was present, but the video recording image was still shown.

As a result of the ransomware being installed, your computer is blocked, and you cannot access the computer's desktop. Even after restarting the screen displays again .To unlock your computer you are instructed to pay a "fine" of US $200 via the MoneyPak payment system. This fine is, of course, a scam - no authority would ask you to pay a fine this way. However, the cybercrooks make it very easy, and frightened users have fallen for it.

You pay the fine by inserting the MoneyPak card code and pressing the green "Pay MoneyPak" button. Below the green button, you can see an explanation titled "Where can I buy MoneyPak?". If you do not know what MoneyPak is, the malware authors try to be helpful and tell you where you can get it. From the list of store logos selling MoneyPak (Wal-Mart, Kmart and other retailers), we expect that this malware was created to target mainly American users.

As we mentioned above, the malware starts after startup, so rebooting your computer does not work. Malware creates in this folder:

"C:\Documents and Settings\<username>\Start Menu\Programs\Startup" file named "ctfmon.lnk", which contains following Target value:

"%systemroot%\system32\rundll32.exe <path_to_malware>,FQ10".

This command starts the malware upon startup. See figure 2 for an explanation of how the malware tries to make itself persistent.

Figure 2

How to Remove Reveton?

1. Restart your computer in Safe Mode

2. Find startup folder - "C:\Documents and Settings\<username>\Start Menu\Programs\Startup"

3. Right click on .lnk file, choose Properties option and check Target value for <path_to_malware>

4. Delete both files: ctfmon.lnk and file in <path to malware>

5. Restart your computer in Normal Mode and continue working.

Reveton comes in many different versions (United States Cyber Security, FBI, etc...) and also many different language mutations. The idea behind the creation and principle of monetizing this malicious program remains always the same - to steal money from computer users.