The old ransomware business model is no longer enough for malware authors. New additions have made Reveton into something even more powerful.
The latest generation of Reveton, the infamous “police” lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer. This addition affects more than 110 applications and turns your computer to a botnet client.
Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.
Pony stealer module
Reveton use one of the best password/credentials stealer on the malware scene today. Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.
Question of the week: I just read your blog post about the Reveton virus. My computer was locked and held for ransom by something similar. I finally got it fixed and downloaded avast! 2014. How can I prevent that from happening again?
We’re sorry to read that you experienced “ransomware” firsthand. While this type of malware has not been very common, it has proven to be effective, so its incidence is on the rise. There are variations on ransomware, but all are designed to frighten or shame the victim into paying a fee to have their computer returned to normal operation. One variation uses a popup to say a virus has been detected on your computer and you have to pay to get it removed. The FBI MoneyPak Virus threatened American users with prosecution because child pornography was allegedly found on the machine. German users got hit by a similar attack recently. A hefty fine of about $300 could make it right again (or not).
Ransomware has been found all over the world, but cybercrooks are making it scarier by targeting it locally. So if you live in Hawaii (first of all, lucky you), you may receive something that looks like this. It looks pretty serious, and can spook users into thinking something is very wrong.
What do you do if your computer is attacked?
Ransomware has been reported by consumers, but it’s also been found in business environments. If you receive something like this on your work computer, please notify your IT specialists. They will need to take action to protect the network, and investigate how the attack occurred. Remember, do not do anything the on-screen message instructs you to do – never share data and do not pay any so-called fines.
If you find yourself infected with malware, it’s a major headache with many lost hours and sometimes irreparable damage. With this in mind, you can use avast! Rescue Disk, included in all avast! 2014 products, to create an image of your avast! installation. This image can be saved either on a USB, CD or DVD. That way if anything nasty happens to the PC, you will have the disk image ready to clean and restore your PC to normal function. The avast! Rescue Disk is built on Windows PE (pre-installation environment) which allows you to boot a PC even when there is no functioning Operating System. The Rescue Disk function is an integral part of the new remediation module introduced by the new 2014 version.
Here are complete instructions for Creating and using avast! Rescue Disk.
For those of you who are more visual, here’s a video ‘How-to’ from AVAST Evangelist, Bob G.
It has been more than a year, since we last time reported about Reveton lock screen family. The group behind this ransomware is still very active and supplies new versions of their ransomware regularly.