Comments on: FBI Ransomware: Reveton seeks MoneyPak payment in the name of the law News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 By: mike Fri, 19 Oct 2012 03:13:21 +0000 i feel like such a idiot looks so real i feal for it.

By: bobby Sat, 06 Oct 2012 23:14:38 +0000 I would reallllllllly love to know how they're making $50,000 daily with moneypaks. A few flaws…?
1. Moneypaks are widthdrawn via prepaid debit cards (a few other means too, but online gambling etc sites)

2. Moneypak rules 4 widthdrawls per day, 7 per week, 21 per month.. with a $1000 daily limit on the cards.
How are they doing $50,000 on 4 transactions a day? They would need hundreds and hundreds of cards. Not only that, but the prepaid cards FLAG and ban your cards if you have odd transactions I accept GDMP's for online sales, and I've had several cards closed.

By: Cherz Fri, 05 Oct 2012 18:32:20 +0000 Co-worker's son got this.  The password has been changed, so I  can't even get to the operating system.  My first attempt at a system recovery was met with a lock.  I attempted to force it into a restore point by shutting the system off before the login screen.  It tried for approximately 15 minutes and could not complete.
Am trying to recover again, seems to be working so far. 
If anyone with Vista gets this crazy FBI screen, do not turn your computer off if you have not made a password recovery disk.   They have changed your password!  If you don't know what a password recovery disk is, then you can safely assume you don't have one.  Don't turn your computer off.
Keep your computer on, cover your webcam and run your antivirus and antimalware.  
Good luck everyone.  This is the nastiest one I've seen a long time. 

By: twinblade Tue, 02 Oct 2012 20:55:12 +0000 dude this is a huge deal, these douche bags of ransomware are ripping off half the country, my grandmother just got hit with it and she was dumb enough to pay without consulting me. Personally the fact of the matter is after you pay you do not aquire any files back, even after a system restore, for those of you with windows 9 or 7 you are a high risk victim. the hackers must be stopped, a dell software computor is in risk of being frozen no matter how many times you system restore or repair, it is possible if you are skilled enough at hacking for yourself you can prevent this, hack them back before they hack you.

By: The Ceej Mon, 01 Oct 2012 22:26:59 +0000 I don't think they're taking payment via Moneypak because their victims are too poor to have a bank account. I think they're taking payment via Moneypak because payments through a bank would be traceable and, depending on the bank, reversible.  It's a great way to get caught.

By: KATMOORE Sun, 23 Sep 2012 17:18:37 +0000 IT JUST HAPPENED TO ME AND I AM PISSED

By: Justin Case Wed, 29 Aug 2012 17:16:33 +0000 Not really a big deal. [Description of manual disinfection removed because it could well be misleading to someone who didn't know exactly what they were doing. Unfortunately, the details of the infection can vary widely, and there are difficulties with a one-size-fits-all, step-by-step manual removal process, though some vendors have published one. DH]

By: Bert Ritto Fri, 24 Aug 2012 01:48:56 +0000 Incredible!

By: Stephen Cobb Wed, 22 Aug 2012 22:50:35 +0000 Well Bert, the estimate of $50K per day comes from Brian Krebs, a very solid source, who describes related numbers on his website, Krebs on Security. A group of researchers, some of them associated with the very interesting site, shared data with Brian from another ransomware scam operating in multiple European countries. The researchers had stumbled upon statistics pages maintained by the criminal groups running the scheme. A screenshot, from 5/18/2012, presented in Brian's post, shows a daily haul of 43,750 Euros or about $54,000.

Furthermore, the screenshot indicates an average conversion rate across 11 European countries of 2.84% which is quite impressive (a lot of online retailers would be happy with that kind of conversion rate from website traffic).

By: David Harley Tue, 21 Aug 2012 16:39:22 +0000 It’s a Windows Trojan.

By: Bert Ritto Tue, 21 Aug 2012 04:09:28 +0000 50k a day!? Is that an accurate estimate? Crazy. So what hardware and programs does this malware target?

By: Stephen Cobb Mon, 20 Aug 2012 23:14:11 +0000 One aspect of the FBI Reveton threat that was not addressed in the blog post is how to recover from this infection. The following are notes from support staff who have been helping people deal with this malware. Note that these steps may not work for everyone and future variants of Reveton may behave differently. Also note that you should not attempt the following unless you are very familiar with the Windows operating system and agree to proceed at your own risk:

A. If you are presented with the FBI Warning/Payment screen, reboot into Safe Mode and run the ESET Rogue Application Remover.

B. If this does not fix the issue then boot up into Safe Mode and check the following areas (you will need to be able to see Hidden Files and Protected operating system files) for a file called CTFMON.lnk:

  1. “All Users Startup” folder > go to Start Menu >> All Programs >> Startup. Right click on Startup and click “Explore All Users” 
  2. “Current Users Startup” folder > go to Start Menu >> All Programs >> Startup. Right click on Startup and click “Explore”
  3. Usually a shortcut called CTFMON.lnk will be what is loading the infection when booting up normally.  Checking the properties of this will show you where the real part of the infection is. Delete the .lnk file and what it is pointing to. Reboot and you should be clean.

However, if the FBI ransom warning is coming up in Safe Mode, you will need to boot up into Safe Mode with Command Prompt. Once in Safe Mode with Command Prompt, try initiating the Regedit command (but only if you are familiar with using Regedit). If Regedit opens, navigate to the following keys:

-“HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon” Shell value needs to be deleted.

-“HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon” “Shell” value should have data of “explorer.exe” (without quotes)

After that, boot back into Safe Mode and run ERAR to clean out any other malicious parts left behind. If regedit will not open, then the use of the “reg” command will be needed.

Hopefully, those afflicted with Reveton, or helping others deal with this problem, will find these notes useful.