A strain of the Revoyem ransomware redirects victims to child pornography before locking the computer and displaying a law enforcement warning demanding a fine for viewing the illegal content.

A strain of the Revoyem ransomware, also known as DirtyDecrypt, is aggressively spreading beyond Germany and Great Britain, the first two countries in which it was spotted back in March. A researcher who goes by the handle Kafeine reports on his Malware Don’t Need Coffee website that Revoyem is being aggressively distributed internationally.

Victims are generally infected on pornographic websites with the malware, Kafeine reports in a blogpost. It then takes a turn for the worst, redirecting victims via a TrafficHolder malvertising ad to page hosting child pornography which drops the Styx exploit kit on the victim’s machine and the DirtyDecrypt ransomware locking the victim’s computer and informing the victim they’ve just viewed illegal content.

“This is amplified [because] it’s true, you just viewed illegal content even if you’ve been driven there against your will,” Kafeine said.

Ransomware generally follows a similar pattern, though previous strains of the malware have forgone actually displaying child pornography. The victim’s computer is locked by the malware and displays a banner purporting to be from a law enforcement agency. Sometimes these banners are regionalized, i.e., a U.S.-based infection will display an FBI banner informing the victim they must pay a “fine” in order for their machines to be returned to normal working order.

Kafeine said the DirtyDecrypt ransomware has been spotted in 15 countries including the U.S., Spain, France, Italy and the Netherlands.

The FBI banner displays the victim’s IP address and location as well as the illegal images displayed by the malware before locking the computer. The FBI warning also posts a log of visits from the victim’s IP address, and the charges the victim faces.

“In the case of payment of a fine, all data collected against you will be removed from the evidence base,” reads the final page displayed by the malware, along with payment options from MoneyPak and PaysafeCard.

In the background, the malware is stealing private information from the machine’s browser, disabling Windows Task Manager and installs itself for autorun at Windows startup, an analysis at Malwr.com indicates. A list of domains associated with Revoyem have been posted on Pastebin, all of which have been posted in the past few days.