Reveton Ransomware
Reveton Ransomware: The “Police Trojan” That Popularized Scare Tactics in Ransomware Attacks
Reveton ransomware, often referred to as the “Police Trojan”, was a screen-locking ransomware campaign that emerged in 2012, infamous for impersonating law enforcement agencies. It displayed fake legal warnings on the victim’s screen, falsely accusing users of crimes such as copyright violations or viewing illegal content, and demanded a ransom payment, typically in prepaid cards or cryptocurrency, to unlock their systems.
Introduction to Reveton Ransomware
Reveton was one of the first widespread examples of ransomware that used social engineering and fear rather than data encryption to extort payments from victims. Once installed, it locked the computer screen and displayed a full-screen message claiming to be from law enforcement agencies like the FBI, Interpol, or local police, demanding a “fine” for alleged illegal activities. Victims were threatened with arrest or prosecution if they didn’t pay immediately.
1. How Reveton Ransomware Worked
Infection Mechanism:
- Reveton was typically delivered through exploit kits (such as Blackhole and Cool Exploit Kit) that exploited vulnerabilities in outdated browsers, plugins (like Flash or Java), or via malicious email attachments.
- Infected websites could redirect visitors to malicious pages that silently installed the malware without user consent (drive-by downloads).
- Once installed, Reveton locked the computer and displayed a full-screen ransom note, preventing access to the desktop and system functionality.
Locking Process and Ransom Demand:
- Reveton locked the user’s screen with a warning that appeared to be from a legitimate law enforcement agency.
- The message typically stated that the user had been caught violating laws (e.g., piracy, accessing child pornography) and needed to pay a fine of $100 to $300 to avoid prosecution.
- Payment was often requested via prepaid payment cards like Ukash, Paysafecard, or MoneyPak.
2. History and Notable Campaigns
Origin and Discovery:
- Reveton first appeared in Europe in 2012, then quickly spread to North America and other regions.
- It was distributed via partnerships with exploit kits, making infections highly automated and scalable.
Notable Campaigns:
- Reveton became infamous for its use of FBI-themed ransom screens in the U.S. and Interpol branding in Europe.
- Victims were often shown their IP addresses, webcam feeds, or geolocation data on the ransom screen to make the threat appear more legitimate and intimidating.
3. Targets and Impact
Targeted Victims and Sectors:
- Reveton primarily targeted home computer users, exploiting fear and lack of cybersecurity knowledge.
- Businesses were less common targets but could still be affected, especially those without adequate endpoint protection.
Consequences:
- Victims lost access to their computers until the ransom was paid or the malware was removed.
- Some users paid the ransom out of fear of legal repercussions, unaware that no actual law enforcement agency was involved.
- Reveton paved the way for future screen-locking ransomware and fake law enforcement scams.
4. Technical Details
Payload Capabilities:
- Screen Locking: Prevented access to the desktop and other functions by displaying a persistent full-screen ransom note.
- Geolocation Awareness: Used the victim’s IP address to tailor the ransom note to their region and local law enforcement agency logos.
- Webcam Activation: Some versions activated the computer’s webcam, showing the user’s own image to add credibility to the scam.
- Persistence Mechanisms: Modified Windows registry entries to launch automatically at startup and prevent system recovery options.
Common Message Examples:
- “Your computer has been locked by the FBI due to the illegal download of copyrighted material.”
- “To unlock your computer and avoid further legal consequences, pay a fine of $200 within 72 hours.”
5. Preventing Reveton Ransomware Infections
Best Practices (Then and Now):
- Keep software and operating systems updated, especially browsers and plugins like Flash and Java.
- Use ad blockers and script blockers to prevent redirection to malicious websites.
- Install and maintain reputable antivirus software with real-time protection.
- Educate users on the risks of social engineering scams and how to identify fake legal threats.
Recommended Security Tools:
- Next-gen antivirus (NGAV) and endpoint detection and response (EDR) solutions capable of identifying ransomware behavior.
- Web filtering and browser hardening to block exploit kits and malicious redirects.
- Backup solutions to ensure data can be restored if ransomware strikes.
6. Detecting and Removing Reveton
Indicators of Compromise (IoCs):
- A persistent full-screen message claiming to be from law enforcement, demanding a fine.
- Inability to access the desktop or run system tools like Task Manager or Safe Mode.
- Registry entries that replace the Windows shell with malicious executables.
Removal Steps:
- Boot into Safe Mode with Networking, if possible.
- Use malware removal tools (e.g., Malwarebytes Anti-Malware, Kaspersky Rescue Disk) to detect and remove the malware.
- Restore registry entries and default Windows shell if they’ve been altered.
- Update antivirus software and run a full system scan to ensure no additional malware is present.
- If necessary, restore from a clean backup or perform a system restore to a point before the infection.
Professional Help:
For persistent infections, professional IT support or cybersecurity experts may be necessary to fully clean the system and recover access.
7. Response to a Reveton Attack
Immediate Steps:
- Do not pay the ransom—payment does not guarantee removal of the lock screen.
- Disconnect the computer from the network to prevent further compromise.
- Report the scam to law enforcement agencies, like the FBI Internet Crime Complaint Center (IC3) or Europol.
8. Legal and Ethical Implications
Legal Considerations:
- Reveton misused the branding of law enforcement agencies, leading to investigations by international law enforcement.
- Victims of Reveton may have had personal data harvested, necessitating data breach notifications under privacy laws.
Ethical Considerations:
- Reveton exploited fear of legal consequences and privacy violations, emphasizing the need for public awareness around common cybercrime tactics.
- Its success highlighted the ethical responsibility of the cybersecurity community to improve education and prevention strategies.
9. Resources and References
- FBI IC3 Reports on ransomware scams
- Europol Warnings on law enforcement-themed ransomware
- CISA Alerts on screen-locking ransomware threats
- Microsoft Security Intelligence: Ransom, Win32/Reveton.B
- Malwarebytes Labs: Reveton Ransomware Puts Your System To Work Mining Bitcoins
- Trend Micro Virus Info: Reveton Ransomware Descendant, CryptXXX Discovered
- Avast Blog: Reveton ransomware has dangerously evolved
10. FAQs about Reveton Ransomware
Q: What is Reveton ransomware?
Reveton is a screen-locking ransomware that impersonates law enforcement agencies to coerce victims into paying a ransom to unlock their computers.
Q: How did Reveton spread?
It was primarily delivered through exploit kits on compromised websites, as well as phishing emails containing malicious attachments or links.
Q: Can Reveton ransomware be removed?
Yes, Reveton can often be removed using malware removal tools and Safe Mode recovery options, without paying the ransom.
11. Conclusion
Reveton ransomware was a pioneering example of screen-locking ransomware, leveraging fear and deception to extort payments from unsuspecting victims. While its law enforcement impersonation tactics have been widely imitated, modern cybersecurity practices and user education have made these schemes less effective today—but they remain a valuable case study in the evolution of ransomware threats.
« Back to the Virus Information Library