Reveton Ransomware uses Fake FBI Message to Extort Money

The FBI today warned of Internet-borne malware masquerading as a message from the law enforcement agency that locks computers until the user pays a fine for allegedly downloading and/or distributing illegal content.

The FBI today warned of Internet-borne malware masquerading as a message from the law enforcement agency that locks computers until the user pays a fine for allegedly downloading and/or distributing illegal content.

“We’re getting inundated with complaints,” Donna Gregory of the Internet Crime Complaint Center (IC3), said in a prepared statement, referring to an uptick in callers complaining that an FBI message froze their computers.

The malicious code is the Reveton virus, used in conjunction with the Citadel malware platform, that first came to the FBI’s attention in 2011. The agency’s IC3 issued an alert in May 2012 to warn consumers of the ransomware, which in some forms even turns on computer webcams to show the victim’s picture on the frozen screen.

When someone visits a compromised Web site, the malware installs and immediately locks down the machine while replacing the monitor screen with a fake FBI warning that the user’s IP address has been linked to child pornography sites or other illegal online activity. The language is one tip-off the message may not be legitimate.

For instance, one screen-captured message cites “Article 1, Section 8, Clause 8, also known as the Copyright of the Criminal Code of United States of America.” It claims this law allows  “a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years.” Another violation of the Criminal Code reportedly allows “deprivation of liberty for four to twelve years” for viewing or distributing “Child Porno/Zoofilia and etc.” Still another results in up to $100,000 in fines and nine years of prison.

The targeted machine will remain inoperable until a fine is paid to the U.S. Department of Justice using a prepaid money card service, according to the bogus message. The vendor for payments depends on the geographic location of the IP address. Users are urged to comply to avoid criminal charges.

“Some people have actually paid the so-called fine,” Gregory said. She added that full removal of Reveton and Citadel likely will require expert assistance.

Those consumers who do manage to unlock their machines, IC3 warns, should remain on alert since the malware may still be present and capturing personal data through a keystroke logger to commit online banking and credit card fraud.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business