⚠️ Overview

Reveton is a screen‑locking ransomware (scareware) first discovered in 2012, attributed to a Russian‑speaking cybercriminal group often tracked as the “Reveton gang” or “Urausy” by researchers at Symantec and Trend Micro. It masquerades as an official law‑enforcement notice—typically from the FBI, Europol, or national police—claiming the victim has committed a crime (e.g., copyright infringement, viewing child pornography) and demands a fine paid via prepaid cash‑vouchers (e.g., Ukash, Paysafecard). Unlike file‑encrypting ransomware, Reveton does not encrypt files but instead locks the entire desktop, preventing normal system use until the ransom is paid. It is classified as a police‑themed ransomware variant within the broader “Police Ransomware” category.

🔧 Technical Capabilities

Reveton primarily propagates via drive‑by downloads from compromised websites and exploit kits, notably the Blackhole Exploit Kit (also known as “Cool EK”), which exploited vulnerabilities in Java, Adobe Reader, and Silverlight. Once executed, it drops a payload that modifies the Windows registry, setting the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon shell key to a malicious binary, ensuring the ransomware screen runs at boot. It employs anti‑analysis techniques, including checking for virtual machine environments (e.g., VMWare, VirtualBox) and terminating processes of security software (e.g., taskmg.exe, regedit.exe). Command‑and‑control (C2) communication is typically over HTTP to a rotating set of domains, often hosted on bulletproof servers, to receive ransom instructions and payment validation. Persistence is achieved through registry run keys and scheduled tasks that re‑launch the locking screen even after manual removal attempts.

📜 History & Notable Incidents

Reveton first appeared in early 2012 targeting European users, with a major campaign in May 2012 that infected tens of thousands of computers via the Blackhole EK. In 2013, a variant called “Reveton.A” was observed demanding $100–$200 ransoms and using geolocation to display the correct national law‑enforcement logo (e.g., Metropolitan Police in the UK, Polizia di Stato in Italy). No specific CVEs are directly attributed to Reveton itself, but the exploit kits it relies on leveraged CVE‑2011‑3544 (Java), CVE‑2012‑1723 (Java), and CVE‑2013‑0431 (Java) for initial infection. Law enforcement actions include the 2013 Europol takedown of several Reveton‑related C2 domains, though the gang continued operating through new servers.

🔍 Detection Indicators

Behavioral indicators include an immediate full‑screen window that cannot be minimized or closed, displaying a fake law‑enforcement warning that mimics the operating system’s legal notice. Network indicators include outbound HTTP connections to domains such as checkip.dyndns.org (for geolocation) and a variety of randomly generated subdomains under .org or .info TLDs. Known file hashes (MD5) include 5a3f8e7b2c1d9a0f6e4b8c7d3a2e1f0c (fake) – actual hashes are available in VirusTotal reports. Registry modifications involve the shell key mentioned above and creation of values under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like “lssas” or “svchost”. No unique mutex names have been publicly documented.

☠️ Risk & Impact

Reveton causes significant operational disruption by locking users out of their devices entirely, leading to loss of productivity and potential data inaccessibility if backups are not available. While it does not exfiltrate data, the social‑engineering nature of the scam can cause emotional distress and financial loss to individuals, particularly those who pay the ransom. The malware primarily affected home users and small businesses in Europe and North America between 2012 and 2015, with a decline after improved user awareness and exploit‑kit takedowns. Financial losses per victim typically ranged from $50 to $200, though cumulative losses are estimated in the millions of dollars.

🛡️ Mitigation

Mitigation relies on keeping browser plugins (Java, Flash, Adobe Reader) updated to prevent exploit‑kit delivery, using endpoint protection with behavioral detection rules for screen‑locking behavior, and implementing group policies to block execution of unsigned binaries from user directories. Sysadmin tools like Sysinternals’ Process Monitor can identify the malicious shell‑key modification, which can be manually reverted from a safe boot environment. No patch is required beyond standard OS hardening.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.