The piece of ransomware known as Reveton returns and this time it locks the computers on unsuspecting victims on behalf of the United States Department of Justice (DOJ).The cyberciminals that operate this scam use the Citadel platform to spread the malicious element.
It’s uncertain at this point if schemes that use the names of law enforcement agencies aren’t as effective as they were once, but it seems that the fraudsters decided to step it up a notch and rely on the name and reputation of the US DOJ to scare victims into handing over the alleged fine payments.
Let’s take a closer look at this particular scenario.
It all starts when the victim visits a hijacked site that’s altered to served drive-by malware downloads. A dropper installs the Citadel malware which connects to the command and control server from where it downloads its configuration file.
Once it finds itself on a device, Reveton locks it and displays a notification on behalf of the DOJ, accusing the victim of accessing illegal content.
The clever thing about this scheme is that the payment method adapts based on the user’s location. For instance, if the IP address is from the US, the $100 (76 EUR) fine must be paid via Paysafecard or MoneyPak.
While the ransomware is trying to make a direct profit for the cybercrooks, the Citadel Trojan continues to operate in the background, stealing sensitive information and performing other malicious tasks.
“It is clear from this and similar attacks we have discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack,” Amit Klein of Trusteer said.
“Through a combination of social engineering, data capturing and communication tampering these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies in order to commit fraud or steal sensitive information.”