FBI warns of new internet scam - Reveton ransomware

Recently the FBI and the IC3 issued a warning about a new ransomware virus, Reveton, which locks an infected PC and shows a fake message demanding the payment of a fine.

Reveton is defined as "drive-by" malware and for very good reason. Unlike other viruses, downloading or opening files and attachments is not needed for the virus to spread. In fact, merely clicking on an infected site can lead to your computer being instantly locked.

Sign Up for E-News

The return of Reveton

The original Reveton malware has been "upgraded" with the incorporation of the Citadel Trojan. While not a new Trojan, due to its versatility, Citadel remains a favored tool by cyber-criminals because it remains on the system even after the ransom has been paid.

This provides further opportunities for identity theft and access to personal and financial data including the capabilities to steal login information, use key-logging programs and employ man-in-the-browser techniques to alter web transactions in real-time.

In addition, the malware is smart enough to generate unique pages for each country that the ransomware appears in so that it looks like the correct agency is monitoring you.

Because of the very personal nature of this scam, as well as the potential consequences for crimes like child pornography, ransomware is only recently coming to the attention of the mainstream.

While these viruses are not impossible to remove, many individuals will simply pay the fine rather than risk causing any legal troubles by talking to the authorities themselves.

How the Reveton virus works

Reveton functions by encrypting or otherwise blocking access to a computer's hard drive. Once this is accomplished, the malware generates warning messages that resemble those of law enforcement and governmental agencies (FBI, U.S. Justice Department, etc.).

These messages usually claim that the computer user has broken some law, which ranges from under-aged viewing of pornography, the presence of child pornography, illegal downloads or other serious charges. However, the "FBI" is willing to let these crimes slide as long as you pay the fine using your personal information and a prepaid money card - which is untraceable.

To accomplish this, the malware can ascertain the computer's geographical location from its IP address and make payment service suggestions based on that information.

How to prevent ransomware infections

As with any virus prevention strategy, begin with the basics.

  • Make sure your antivirus software is up to date
  • Make sure Windows updates are current
  • Make sure your web browser (Chrome, Firefox) is up to date
  • Steer clear of sites you don’t trust or might suspect
  • Be especially wary of search results for “reveton”

On one of the security forums a poster wrote "I googled Reveton and found a Baltimore Sun article on it. There were also links to fake sites such as balttimoresun.com (with two Ts) and others. Some of them tried to install something..."

More advanced measures can also be taken such as…

  • Use a web filter or proxy - cloud, hardware or software based
  • If you are running Internet Explorer 9 or higher  turn on ActiveX Filtering
  • If you are using Firefox try using the NoScript add-in
  • Consider "sandboxing" your browser
  • Have good backups and or disk images in case you need to restore the computer

What to do if you get infected with Reveton

The Internet Crime Complaints Center or IC3 recommends these following steps if your computer gets infected with the Reveton virus:

  • Do not pay any money or provide any personal information.
  • Contact a computer professional to remove Reveton and Citadel from your computer.
  • Be aware that even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programs.
  • File a complaint and look for updates about the Reveton virus on the IC3 website.

Further reading about ransomware and Reveton

FBI alert about Reveton ransomware

IC3 alert about Reveton ransomware

Krebs on Security - Inside a Reveton ransomware operation

If you suspect you have malware, ransomware, or any type of viruses, running antivirus isn't always enough. Reach out to us and have one of our professional computer technicians check your computer and network for any signs of malware. You can reach us at 866-753-6279 or email us here .


During work hours David is the President of Plenary Technology, an IT Services company in New Jersey that helps small businesses save money by reducing down time. Off hours he spends as much time as possible romping thru the woods with his dog, Maggie.