Police-themed ransomware speaks to victims -- literally

New variant of Reveton ransomware uses localized voice messages to trick victims into paying rogue fines

A new variant of a Trojan program called Reveton that prevents victims from using their computers and displays rogue messages from law enforcement agencies is using localized voice messages to trick victims into paying made-up fines, according to researchers from antivirus vendor Trend Micro.

"Detected as TROJ_REVETON.HM, it locks the infected system but instead of just showing a message, it now urges users to pay verbally," Ivan Macalintal, threat research manager at Trend Micro, said Monday in a blog post. "The user won't need a translator to understand what the malware is saying -- it speaks the language of the country where the victim is located."

Reveton is part of a category of malicious programs called ransomware that block certain OS features or encrypt personal files and ask victims for money in order to return their system to normal.

This particular Trojan program is also known as the "police ransomware" because it displays fake alerts purporting to come from law enforcement agencies in various countries and instruct victims to pay a fine for allegedly accessing or storing illegal content on their computers.

Reveton determines the country where the infected computer is located and displays a message in that country's national language purporting to come from a local law enforcement agency. It first appeared in 2011 and spread throughout Western Europe infecting computers in Germany, Spain, France, Austria, Belgium, Italy, the U.K and other countries.

The first variants targeting U.S. and Canadian computer users appeared in May 2012. At the end of November, the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), issued an alert that Reveton was being distributed by the Citadel banking Trojan program and was using IC3's name in its rogue alerts.

"There has been the occasional instance of malware with sound effects," David Harley, a senior research fellow at antivirus vendor ESET, said Monday via email. However, "malware with a regionalized, quasi-personalized voice message is new on me," he said.

Harley hasn't yet heard the voice messages played by this particular Reveton variant, but he believes if they are implemented effectively -- for example, English messages claiming to be from the FBI don't have a heavy Eastern European accent -- some people are likely to find them intimidating.

The malware's novel voice feature might make the scam marginally more convincing to some users, Harley said. However, it's unlikely that it would manage to persuade people who would be reasonably cautions about such scams, he said.

According to a recent report from security vendor Symantec, there are as many as 16 distinct families of ransomware, each controlled by individual cybercriminal gangs. An investigation into a command and control server used in one ransomware operation that resulted in 68,000 infected computers in October, revealed that as many as 3 percent of the victims might have paid the amount asked by the cybercriminals, possibly earning them as much as US$394,000 that month.

Harley advised people whose computers were infected by ransomware not to pay up. There is no guarantee that the criminals will unlock the system, he said. "In many cases where ransomware has taken hold, the crook has just taken payment and moved on without offering any help."

The best option is to call the help desk of your antivirus vendor, because they can hopefully pin down the exact variant and advise you on how to remove it, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysymantectrend microsecurityscamsesetmalware

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts