The Reveton Ransomware is back, and it’s updated. A new credential-stealing feature has been added to the police-ransomware, using the new version of the Pony malware.
Reveton usually infiltrates the user’s PC via drive-by downloads, as the victim browses a website rigged to exploit software vulnerabilities automatically. Once activated, the Reveton Ransomware locks the user’s PC and displays a fraudulent message alerting that the system has been disabled by the local authorities, and in order to restore it, the user has to pay a fee. Due to the numerous complaints, which have been filed, there has been an FBI warning about Reveton, issued in August 2012. Reveton is similar to the famous Cryptolocker Ransomware that is known to encrypt various files on the compromised machine.
The New Password-Stealing Features That Escalate Reveton’s Threat-Level Significantly
According to malware researchers, the latest Reveton version does not only lock the infected computer until the required fee is paid, but it can also steal passwords thanks to the newly added Pony module. The creators of the Pony module conduct reversed engineering method that allows the decryption of almost every password to a plain text. Pony gathers information like local passwords, passwords stored in browsers, email clients, IM clients, online poker clients, FTP clients, etc. Reportedly, the module affects over 110 applications and turns the infected machine into a botnet client. Pony also targets the access-passwords of the most popular crypto-currency wallets.
The latest Reveton version has already targeted seventeen German banks and has extracted data from cookie files and search queries in the browser history.
Another password-stealing feature has also been added to Reveton, although it is not as effective as the Pony module. It belongs to the Papras malware family and according to the security experts, this one can disable the security programs that are available on the affected computer.
The New Face of Reveton
A few changes have been made to the police-ransomware:
- The lock screen module has been modified.
- A different encryption method has been used for the latest version.
- The communication with the C&C server has been restored.
Computer specialists believe that the authors of the Reveton Ransomware have added the new capabilities due to the decreasing profits of such schemes. In their opinion, the crooks are trying to enter into a new black business area. It is likely that the average user is getting smarter and does not get scared into paying up the required sum, or at least not as much as before. PC users are advised to back up their files regularly, in order to protect their data. The ones, whose computers have been affected by Reveton are urged to change the passwords of all their online accounts and services.