The Reveton ransomware

Date : February 05, 2013

Introduction

Ransomware is a class of malware, which once a system has been compromised, blackmails a victim by locking there system until the victim accepts to pay for a certain ransom. Other variations of the same principle consist for instance in encrypting all the documents stored on the hard drive, thus preventing the victim from reading/modifying them until the ransom is paid. It is generally established within the community of security researchers that modern ransomware appeared in Eastern Europe (especially in Russia) around 2006, and moved over the years to the rest of Europe and finally towards North America in 2012.

In this article, we are discussing Reveton, which is probably the best-known and most profitable piece of ransomware, but also one of the highlights of 2012 considering the evolution of cyber threats.

Note: According to Symantec, there are around 20 rather similar variants of the Reveton Trojan but we have decided not to enter within these details, in order to avoid complicating the presentation. All along the present article, we will independently and generically refer to any of these variants as “Reveton”.

 

Presentation

It is in 2011 that Reveton, aka BKA in its German version, was discovered. That is true, the ransomware phenomenon was not really new at that time, but Reveton was somewhat original considering the intimidation techniques used. In fact, once a computer gets infected, a message claiming to be from local police authorities is displayed to the user informing that his/her computer has been used to perform various forms of illegal actions (downloading child pornography, software piracy or counterfeiting of copyrighted audio / video contents ...). The message is displayed from a web page in full screen within a foreground window, the malicious code closes the task manager each time the victim tries to launch it, and blocks the "explorer.exe" process so that it is no more possible to do anything on the system. The message states that the computer will be unlocked only if the victim pays a “fine” (from 100 through 200 Euros) via various anonymous and hard to trace payment solutions. Several feedbacks found on the Internet indicate that even when the so-called “fine” gets paid, the system is not necessarily unlocked and much less cleaned from every malware trace.

To further amplify the exerted pressure and the chilling effect, the latest versions of Reveton are able to detect the presence of a webcam on the infected system, to take a picture of the victim and to present it beside the payment request message. Some Reveton variants also display the corporate logos of various antivirus companies so that the message appears even more serious and instils a sense of fear.


Payment of the ransom, monetization of the fraud

To unlock an infected system, Reveton asks the victim to pay a “fine” via an anonymous Internet payment solution, or more usually via some forms of prepaid cards. The fraud would thus operate as follows:

  • Once the victim gets his/her computer locked by the malware, he/she is supposed to go to a local prepaid card point of sale (newsagents, tobacco store ...) and buy a voucher in exchange of cash. For example, the Paysafecard service (www.paysafecard.com) sells vouchers representing a value of 10, 25, 50 or 100 Euros).
  • He/she then enters the code that is printed on the voucher (it consists in around 15 or 20 digits depending on the prepaid card service) into the field provided for this purpose on the lock screen displayed by Reveton.
  • In some situations, the computer may finally be unlocked, but a number of correlated articles on the Internet report that it is often not the case.

The success of the fraud is only based on the fact that the victim may be scared by the message, may even panic, and in this context, he/she will possibly not seek outside help, deciding to pay without further consideration. The following key points, which are very specific to scareware, are being used by Reveton:

  • The mention of serious offenses (illegal pornography, software piracy etc.) is intended to give an ignorant victim a feeling of culpability. The victim will thus likely never report his/her problem to a third party. Here is an excerpt (report from Kaspersky) from a message displayed by the BKA Trojan: "Pages containing pornography, child pornography, bestiality and violence against children were visited".
  • Fear is stimulated by the presence of local law enforcements logos, technical information (IP address, ISP name ...) and, when possible, a picture of the victim taken through his/her own webcam.
  • A sense of urgency/necessity is instilled: "The payment must be made within 24 hours. If the payment is not made in the allotted time, your hard disk will be irrevocably formatted (erased)".

Profits of the Reveton operations seem to be fairly considerable and certain sites, such as the “Krebs on Security” and “Symantec Connect” blogs try to give some statistics based on information collected from the C&C servers used by Reveton:

  • On average, 2.9% of users whose computer has been compromised would pay the requested “fine” (generally not less than 100 Euros),
  • An investigation by Symantec on a small player in this scam has identified 68,000 compromised computers in only one month, which could have generated up to $400,000 for the cybercrooks.
  • A peak in the Reveton activity has led to 500.000 infection attempts in only 18 days,
  • Finally, Symantec states that Reveton could generate over 5 million dollars of income in a year, which would be a conservative estimate according to the vendor. However, the real number is likely to be much higher.

 

Propagation and infection

All security researchers do not entirely agree on the spreading and infection mechanisms used by Reveton, but according to most reports, it seems that the code is installed through the BlackHole exploit Kit. The infection scenario would thus be as follows:

  • A victim user browses to a compromised legitimate web site or, is inadvertently redirected to a specially crafted site that hosts the BlackHole exploit kit.
  • The BlackHole exploit kit (usually a large block of obfuscated JavaScript and HTML code) scans the victim's web browser for known vulnerabilities, either in the browser itself or in third-party plugins (Java, Flash, Adobe Reader ...).
  • If an unpatched flaw is found, BlackHole triggers the execution of a so-called dropper Trojan on the system, which will in turn install the Reveton ransomware and possibly other Trojans and backdoors (see next paragraph).

 

A double infection

It has been reported, including by the FBI, that Reveton is being distributed on compromised systems simultaneously with Citadel, a variant of the well-known Zeus/Zbot information stealing Trojan. This is a rather common but interesting technique allowing to further improve the profitability of the infected computers network. In fact, even if it is assumed that Reveton could be removed (there is a fairly simple technical procedure for that), the computer could still remain infected by Citadel, a more advanced code that is extremely hard to wipe out. This infection scheme allows hackers to keep control of the compromised computers for a longer time so as to perform fraud against online banking web sites. For instance, Citadel is able to intercept login credentials to online banking sites, capture credit card numbers, use techniques such as WebInjects (on-the-fly injection of forms into web pages) to carry out phishing attempts and harvest sensitive information etc.

 

A localized malware

Reveton relies on the infected computer’s public IP address to tailor the messages it displays, in function of the country in which the victim resides. In Germany, the message appears with a logo of the Federal Police, in Britain with the one of the "Metropolitan Police", in the United States with the one of the FBI etc. Even the payment systems that are proposed to pay the fine vary depending on the victim’s location (we suppose that the selection of the payment methods is made according to the popularity or the number of prepaid cards resellers that can be found in a given country): in Germany Reveton proposes to pay the so-called fine via Ukash and Paysafe, while in the United States, MoneyPak and Paysafecard seem to be privileged.

Note: The site botnet.fr provides a comprehensive screenshot gallery, which allows to get a glimpse of the Reveton scam pages by country.

 

Conclusion

Once again, the Reveton attacks illustrate the need to have a solid plan for backing up workstations’ data on a corporate network. This is especially important as more sophisticated ransomware may encrypt all the documents stored on a hard drive with a random key, rendering them virtually impossible to recover. Additionally, it could be mentioned that even if it is rather easy to remove the Reveton ransomware (this is actually the visible part of the infection) and to render a compromised system usable again, this system could remain infected by other malicious codes associated in the same attack. Then it is probably quite unrealistic to consider the disinfection of the computer, thus making a full reinstallation mandatory.

On the other hand, the sophistication of the Reveton attacks is pretty impressive: beyond the simple principle consisting in requesting a ransom, there is a real expertise when considering the overall monetization scheme involved in the network:

  • Combination of various pieces of malware to allow a greater distribution and a longer presence on infected systems,
  • customization of the messages that are displayed by the malware according to the geographical location of the victim,
  • use of intimidation techniques,
  • use of local and anonymous payment solutions,

Finally, it had been reported in the press in December 2012 that three persons responsible for various frauds in connection with the Reveton ransomware Trojan have been arrested in England, but this only corresponds to a very small part of the number of infections reported this year in the world. As a consequence, and despite very appealing initiatives such as Stopransomware.fr (a platform allowing among other things to signal this type of scam), It is likely that ransomware will continue generating a lot of money in 2013. They may even possibly evolve into the smartphones world?

Previous Previous Next Next Print Print