Posing as the US Department of Justice (DoJ), a new variant of the Citadel Malware called Reveton is responsible for a ransomware campaign that attempts to extort $100 from its victims.
The infections are occurring after users are lured to a drive-by download site where a dropper installs the Citadel malware, which, according to the Trusteer report, uploads Revton’s ransomware DLL from Citadel’s command and control server.
The Citadel strain locks-down its host computer, displaying a fake message warning users that their computer has been identified by the Computer Crime and Intellectual Property Section of the US DoJ for having visited websites containing child pornography or other illegal content, and thus, violating US federal law. In order to unlock their machines, users are prompted to pay a $100 fine to the DoJ.
Trusteer reports that the Citadel malware, of which Reveton is a strain, is a descendent of the notorious Zeus malware.
Trusteer is also reporting that, in addition to the Reveton scareware payload, Citadel continues to operate on the infected machine as well. It is possible that the criminals responsible could enable Citadel’s man-in-the-browser, key-logging, or other malicious capabilities to commit banking or credit card fraud or even target employees to steal enterprise credentials.
Masquerading as law enforcement and extorting victims with fake threats is an increasingly common trend among cyber-theives. There were two cases in late 2011 in which ransomware either posed as a law enforcement warning or threatened to inform law enforcement about child pornography that was “found” on an users infected machine. More recently their was a scareware campaign that attempted to convince users that they were being sued in violation of the controversial Stop Online Piracy Act (SOPA), which was never signed into law.