FBI Ransomware: Reveton seeks MoneyPak payment in the name of the law

A crime wave of malware that demands money from victims to avoid prosecution by the FBI has been alarming web surfers across America. Victims suddenly find their computer frozen, and an official-looking  page, like the one shown below, is displayed in their web browser. The FBI and the Internet Crime Complaint Center (IC3) have received so many calls about this scam that they issued a detailed alert last week.

FBI ransomware RevetonThe three most important things to know about this  web  page are:

1. It is not from the FBI;

2.  People should NOT follow the instructions on this page;

3.  People who see this page  have probably been infected with a piece of malware called Reveton.

How did  they get infected? That’s a good question, one to which I will  turn in a moment, but the first order of business is to ensure that as many people as possible are protected against this malware. That means checking that  you are running a  good antivirus program and that you are keeping it up-to-date. While the scale of this outbreak is making news, Reveton is not a new piece of malware  and this is not a new scam, but the bad guys are constantly changing the files used to commit this crime and your antivirus software needs to be updated regularly to catch new versions as they become known. (It is possible for an AV program such as ESET Nod32 to detect and block  new variants using heuristics, but you should be running the latest version to ensure maximum protection.)

FBI Reveton ransom-ware-diagramTo  understand how the scammers operate, we created  an overview of the criminal activity involved in this type of scheme. (Bear in mind this is a simplified version of events; often there are  more steps and process involved in actually executing this scam.)

Here is how Bad Guy  1 rips off Good Guy A.

Bad Guy 1 buys exploit software from Bad Guy 2. Using this software Bad Guy 1 creates a piece of malware that that can take over a victim’s computer and demand money.

Bad Guy 1 then pays Bad Guy 3 to test and tweak the malware to increase its chances of evading detection by antivirus programs. A fourth bad guy is then paid to secretly place the malware on an innocent website, in this case the website of Good Guy B.

When Good Guy A innocently clicks on a link to visit the website of Good Guy B the malware installed there is  immediately  loaded onto Good Guy A’s computer and the demand for money is presented.

Bad Guy 1 makes back his investment in this scheme, plus profit, when enough people like Good Guy A send him money to unfreeze their system. How do victims like Good Guy A send the money? This can vary and similar scams in Europe have used systems like Ukash and Paysafe. This example uses MoneyPak, also known as “green dot” which is a service you may have seen in your local Walgreens, Walmart or Rite Aid.

MoneyPak payment boxWhile we don’t want to make any assumptions about the demographics targeted by this scam, MoneyPak is  marketed as a payment method for  folks who don’t have a bank account (around 20 million Americans rely on forms of payment other than banks, according to the FDIC).

As you can see from the payment portion of the scam page, all you need to do to send money to the bad guys is enter the code from the back of a MoneyPak card to which you have added funds.

How much money does such a scheme make for the bad guys? Our good friend Brian Krebs over at Krebs on Security suggests  it is plausible  that the bad guys are raking in as much as $50,000 per day. Note that these are not bank transferred funds which a bank, or scam victim, can trace and get back. MoneyPak makes that clear in a prominent disclaimer on their website, which the bad guys audaciously exploit by changing the wording to include the Department of Justice, the alleged payee in this fraud.

And how do you get infected? One method we have seen is for the bad guys to install  the malware infection process on a perfectly ordinary website, such as a local newspaper or blog. People visit the site in the normal course of their  web-surfing and are then infected. This type of attack is called a drive-by and while it can be “enhanced” through a variety of ploys that trick people into visiting infected sites (like SEO-poisoning or spam campaigns) is also preys on entirely innocent and random victims. The number of websites being compromised every day for the delivery of malware like this is now in the thousands. A good web browser will help you avoid these infected sites, as will a good antivirus program.

No doubt the FBI is working hard to catch the people behind this scam, which takes the agency’s name in vain as well as generating a lot of calls to agency  from concerned consumers. While there is little comfort  to be found in the fact that this type of scam has already been hitting European consumers  for some time, as noted by my colleague Cameron Camp last year, it is possible that international cooperation among the many law enforcement agencies that have now been “targeted” will speed the apprehension process.

Author Stephen Cobb, ESET

  • Stephen Cobb

    One aspect of the FBI Reveton threat that was not addressed in the blog post is how to recover from this infection. The following are notes from support staff who have been helping people deal with this malware. Note that these steps may not work for everyone and future variants of Reveton may behave differently. Also note that you should not attempt the following unless you are very familiar with the Windows operating system and agree to proceed at your own risk:

    A. If you are presented with the FBI Warning/Payment screen, reboot into Safe Mode and run the ESET Rogue Application Remover.

    B. If this does not fix the issue then boot up into Safe Mode and check the following areas (you will need to be able to see Hidden Files and Protected operating system files) for a file called CTFMON.lnk:

    1. “All Users Startup” folder > go to Start Menu >> All Programs >> Startup. Right click on Startup and click “Explore All Users” 
    2. “Current Users Startup” folder > go to Start Menu >> All Programs >> Startup. Right click on Startup and click “Explore”
    3. Usually a shortcut called CTFMON.lnk will be what is loading the infection when booting up normally.  Checking the properties of this will show you where the real part of the infection is. Delete the .lnk file and what it is pointing to. Reboot and you should be clean.

    However, if the FBI ransom warning is coming up in Safe Mode, you will need to boot up into Safe Mode with Command Prompt. Once in Safe Mode with Command Prompt, try initiating the Regedit command (but only if you are familiar with using Regedit). If Regedit opens, navigate to the following keys:

    -“HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon” Shell value needs to be deleted.

    -“HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon” “Shell” value should have data of “explorer.exe” (without quotes)

    After that, boot back into Safe Mode and run ERAR to clean out any other malicious parts left behind. If regedit will not open, then the use of the “reg” command will be needed.

    Hopefully, those afflicted with Reveton, or helping others deal with this problem, will find these notes useful.

  • Bert Ritto

    50k a day!? Is that an accurate estimate? Crazy. So what hardware and programs does this malware target?

    • David Harley

      It’s a Windows Trojan.

  • Stephen Cobb

    Well Bert, the estimate of $50K per day comes from Brian Krebs, a very solid source, who describes related numbers on his website, Krebs on Security. A group of researchers, some of them associated with the very interesting botnets.fr site, shared data with Brian from another ransomware scam operating in multiple European countries. The researchers had stumbled upon statistics pages maintained by the criminal groups running the scheme. A screenshot, from 5/18/2012, presented in Brian's post, shows a daily haul of 43,750 Euros or about $54,000.

    Furthermore, the screenshot indicates an average conversion rate across 11 European countries of 2.84% which is quite impressive (a lot of online retailers would be happy with that kind of conversion rate from website traffic).

  • Bert Ritto


  • Justin Case

    Not really a big deal. [Description of manual disinfection removed because it could well be misleading to someone who didn’t know exactly what they were doing. Unfortunately, the details of the infection can vary widely, and there are difficulties with a one-size-fits-all, step-by-step manual removal process, though some vendors have published one. DH]



  • The Ceej

    I don't think they're taking payment via Moneypak because their victims are too poor to have a bank account. I think they're taking payment via Moneypak because payments through a bank would be traceable and, depending on the bank, reversible.  It's a great way to get caught.

  • twinblade

    dude this is a huge deal, these douche bags of ransomware are ripping off half the country, my grandmother just got hit with it and she was dumb enough to pay without consulting me. Personally the fact of the matter is after you pay you do not aquire any files back, even after a system restore, for those of you with windows 9 or 7 you are a high risk victim. the hackers must be stopped, a dell software computor is in risk of being frozen no matter how many times you system restore or repair, it is possible if you are skilled enough at hacking for yourself you can prevent this, hack them back before they hack you.

  • Cherz

    Co-worker's son got this.  The password has been changed, so I  can't even get to the operating system.  My first attempt at a system recovery was met with a lock.  I attempted to force it into a restore point by shutting the system off before the login screen.  It tried for approximately 15 minutes and could not complete.
    Am trying to recover again, seems to be working so far. 
    If anyone with Vista gets this crazy FBI screen, do not turn your computer off if you have not made a password recovery disk.   They have changed your password!  If you don't know what a password recovery disk is, then you can safely assume you don't have one.  Don't turn your computer off.
    Keep your computer on, cover your webcam and run your antivirus and antimalware.  
    Good luck everyone.  This is the nastiest one I've seen a long time. 

  • bobby

    I would reallllllllly love to know how they're making $50,000 daily with moneypaks. A few flaws…?
    1. Moneypaks are widthdrawn via prepaid debit cards (a few other means too, but online gambling etc sites)

    2. Moneypak rules 4 widthdrawls per day, 7 per week, 21 per month.. with a $1000 daily limit on the cards.
    How are they doing $50,000 on 4 transactions a day? They would need hundreds and hundreds of cards. Not only that, but the prepaid cards FLAG and ban your cards if you have odd transactions I accept GDMP's for online sales, and I've had several cards closed.

  • mike

    i feel like such a idiot looks so real i feal for it.

Follow us

Copyright © 2018 ESET, All Rights Reserved.