It never ceases to amaze me how creative international cyber crooks can be. There are countless online scams and schemes intended to enrich criminals at the cost of innocent Internet users. We have all heard of viruses, worms, Trojans and other variations of malware, as published warnings have been disseminated since the early days of personal computing. While many types of malware are nasty, one of the nastiest is known in the security industry as “ransomware,” which requires the victims to pay ransom in order to recover the use of their computers. These ransom cases have caught the attention of the FBI, which has posted a stern user warning online at www.fbi.gov/news/stories/2012/august/new-internet-scam/new-internet-scam .
In recent days, I have had several inquiries about locked computers with a strange warning, and official-looking window with an FBI header that says ,“Your PC is blocked due to at least one of the reasons specified below.” The warning of the locked computer informs the user that the FBI has detected that the computer either had pirated “Video, Music, Software” or the user has “ ... been viewing or distributing prohibited Pornographic content (Child Porno, Zoofilia and etc.).” For the possession of the pirated software the penalty (note the poor grammar in the post), “ ... provides for a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years.” The penalty for the pornography charge is listed as, “ ... a deprivation of liberty for four to twelve years.” Just to increase the fear and worry of the user is an additional criminal charge, “Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law of Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for four to nine years.”
Like a cable TV pitchman shouting, “But wait! There is more!,” the FBI is allegedly offering the victims a deal, since it is likely the computer user’s first offense. This great deal is this: “Fines may be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours! To unblock the computer, you must pay the fine through MoneyPak of 100$.” Again, note the vernacular and wording, including the incorrect domestic format of “100$.” The instructions on processing a MoneyPak transaction to pay the “100$” fine are explicit, directing the victims to only purchase a “100$” prepaid GreenDot MoneyPak at a 7-Eleven, CVS, Rite Aid, Kmart, Walmart, or Walgreens. There will be a $4.95 charge for the prepaid card, and then charge it with the “100$.” In the original warning e-mail is a place for the victim to enter the code from the prepaid card, along with a prefilled “100$,” and a button that says, “Pay MoneyPak” which will instantly transfer the “100$” balance of the prepaid card to the cyber crooks. The e-mail then states that, “When you pay the fine your PC, will get unlocked in 1 to 48 hours after the money is put in the State’ account. In case an error occurs, you’ll have to send the code by e-mail to fine [at] fbi [dot] gov.”
If the victim pays the ransom, the computer is not released or unlocked; this is a complete scam. Some variations of the scam have recently appeared that have raised the ransom demand to $200.
Microsoft has posted a detailed description and removal instructions on its Microsoft Malware Protection Center Web site, referring to this malware as “Trojan:Win32/Reveton.A” or “Trojan:Win32/Ransom.FL.” These trojans, when they sneak on to a victim’s computer, lock the computer and display a localized version of the warning. In the U.S., the warnings appear to come from the FBI, while similar localized warnings appear to be from national or local law enforcement agencies in the UK, Germany, Italy and other countries, all requiring the fine to be paid in a similar way using a specific prepaid card sold at localized specific retailers; in Europe, the crooks demand payments via the Ukash or PaySafe prepaid cards.
The FBI has analyzed the malware and warns that, “Reveton is described as drive-by malware because unlike many viruses — which activate when users open a file or attachment — this one can install itself when users simply click on a compromised Web site. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law.” According to Microsoft, the malware arrives on the computer as a DLL file with a random filename, and then creates a shortcut to itself in the Windows startup folder. Once loaded, the malware prevents the user from accessing the desktop, disables protective security software on the computer, and then downloads and executes other malware, including the localized desktop window containing the ransom demand.
Variations of the Reveton malware, along with it companion Citadel malware, have been around for over a year, and most of the major anti-spyware utilities can detect and kill it. Microsoft has published a manual removal method on its Microsoft Malware Protection Center Web site:
I have also had good success removing this ransomware using the free portable version of SuperAntiSpyware
(www.superantispyware.com/portablescannerhome.html ). The free personal edition can be downloaded using another uninfected computer and copied to a USB flash drive; detailed instructions are given on the Web page. This portable version is complete when downloaded, and does not require Internet access in order to run and kill the malware; since the portable version is updated periodically prior to downloading, later scans might require a more recent copy of the software. Completely turn off (shut down or power down) the infected computer, and then reboot it into “Safe Mode” by pressing the “F8” key immediately after turning the power on, and every few seconds until the safe mode screen appears; select either the basic “Safe Mode” or “Safe Mode with Networking” (not required). Plug in the USB flash drive containing the portable version of SuperAntiSpyware, and run the downloaded file directly from the flash drive. While a quick scan may only take a few minutes, a full scan will take much longer but is more comprehensive; remove or quarantine whatever the SuperAntiSpyware scan finds. Remove the flash drive and reboot the computer.
If the computer reboots properly without the ransomware window, it is still possible that there is some deeply hidden malware still on the computer. While it is highly likely that the portable version of SuperAntiSpyware will detect and remove the ransomware, no cleaning utility is 100 percent effective at removing all malware, so I always perform a redundant scan with another security utility. If the computer appears to boot properly, go online and download the free version of MalwareBytes from www.malwarebytes.org . Install the MalwareBytes, update it, and perform a full scan; if it says that you are clean, and SuperAntiSpyware says that you are clean, your computer is likely clean. Since the ransomware may have disabled or destroyed your security software, it would be a good choice to reinstall a good quality security suite, keeping one fact in mind: If the ransomware was able to easily penetrate your previous security software, it is quite possible that your security software was either inadequate or not properly updated, which allowed the ransomware to infect your computer. Now may be the time to install a different, probably better and more comprehensive security suite, one that provides protection from compromised Web sites; once the new security software is installed and updated, it might be appropriate to perform another full security scan.
It is sad that international cyber crooks can easily extort money from innocent victims anywhere in the world, but being proactive and knowing how to deal with the threat before it occurs may mitigate the stress, grief and expense of dealing with this ransomware. It is nice to know that the FBI and other international law enforcement agencies are trying to deal with the threat. If these guys are caught, I hope that they are severely punished, but I am not so naive as to think that it will not happen again; one thing certain is that it will happen again, so be prepared! Knowledge is power, and now you have the power.
Listen to Ira Wilsker’s weekly radio show on Mondays from 6-7 p.m. on KLVI 560AM.