Here Comes Reveton: Ransomware Is Keeping Solution Providers Very Busy

The ransomware scourge that made many small and midsize businesses scramble to recover locked-up systems in 2014 is continuing to clobber PCs despite a law enforcement crackdown that effectively squashed the nefarious CryptoLocker malware.

Reveton, a threat that spread mainly in Europe and tied up systems while displaying a phony law enforcement warning, has surged in recent months and is now being detected hammering systems in the U.S. The health-care industry appears to have felt the brunt of the latest surge of the malware, according to an analysis of the latest variant issued by Trend Micro Thursday.

More than 60 percent of Reveton infections spotted by the security vendor have been in the U.S. and the malware's new infection method is behind the expansion, the company said. Rather than an executable file, Reveton infects systems with a DLL file extension.

"The difference here is that a user whose system is infected by any of these recent Reveton malware variants won't easily suspect that there's a malicious application running in the system via Task Manager," Trend Micro said.

[Related: Health-Care Breaches Cost More Than Financial Services, Retail Lapses]

Reveton is an older form of ransomware. It doesn't encrypt a victim's files like CryptoLocker or some copycat variants (namely CryptoWall), but it has the capability to lock the screen of a victim's system. Once the malware is triggered, the attackers display a phony message purported to be from the Homeland Security National Cyber Security Division, in an attempt to extort a bogus $300 fine. The message warns that the "computer has been suspended on the grounds of unauthorized cyberactivity."

The tactic is intended to scare users into paying the fee, according to Trend Micro, which warns users that the infection appears to be spreading through attachments in spam messages. Users should avoid opening suspicious messages and verify the validity of email messages that purport to be from banks, online retailers and shipping firms, according to Trend Micro.

"It pays to be vigilant," Trend Micro said. "Security software should not only detect and block ransomware but also other malware that may drop the different variants."

Reveton is associated with Citadel, a data-stealing botnet that spreads a variety of malware, including the ability to capture keystrokes and infiltrate popular password managers and authentication software. Last month, IBM's Trusteer endpoint security unit identified Citadel attacks that could gain access to open-source password managers. Microsoft also warned about a version of Reveton it detected with the ability to steal account credentials.

NEXT: Ransomware Keeps Solution Providers Busy

Solution providers say ransomware has always been an irritating problem for their frontline teams, but the CryptoLocker infections were more perilous. CryptoLocker ranks as one of the top threats their customers faced in 2014. The infections taught some business owners a lesson on having a solid backup system in place, said Brian Hess, president of Gibsonia, Pa.-based service provider TEQ Guys. CryptoLocker was very significant to TEQ Guys' business, Hess said.

’It created significant disruption and there was no recovery from it if you didn’t have an effective backup,’ Hess said. ’If you didn’t have a backup you couldn’t get your files back unless you paid the hacker.’

The attackers behind CryptoLocker and the early versions of CryptoWall copycat malware were able to evade detection from standard antivirus and network security devices. The malware contained a component that disabled standard security software when the malware executed. The FBI said in June that CryptoLocker was out of commission, but the effectiveness of the attack, which bilked millions from victims, was a black eye on the security industry, Hess said.

’It never ended up setting off alarms while it encrypted all those files,’ Hess said. ’I can understand standard signature-based protection missing an infection, but heuristics appeared to have failed as well.’

In the third quarter of 2014, more than 200,000 new ransomware variants were spotted by Intel Security (formerly McAfee). The number of new variants rose for the first time since a precipitous decline over the past year, the company said in its latest threat report.

Intel Security predicts new variants of crypto-ransomware could contain functionality to steal account credentials and authenticate to a victim's cloud-based services, potentially locking up those Web-based files as part of the attack. Dropbox, Google Drive and OneDrive could be at risk, the security vendor said. The company added that ransomware may also become a greater problem on mobile devices next year.

"With mobile platforms supporting a myriad of unregulated payment methods, attackers will find multiple avenues to extract ransom payments from victims to release their encrypted data," the company said.

PUBLISHED DEC. 12, 2014