{
	"id": "d3b7b747-6b2a-4bbd-855c-cec200dcdffd",
	"created_at": "2026-04-06T00:14:58.37925Z",
	"updated_at": "2026-04-10T13:11:52.142028Z",
	"deleted_at": null,
	"sha1_hash": "32524244c6ff7e877f4380ac07e8e99c404abf33",
	"title": "Inside a ‘Reveton’ Ransomware Operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 472616,
	"plain_text": "Inside a ‘Reveton’ Ransomware Operation\r\nPublished: 2012-08-13 · Archived: 2026-04-05 22:50:38 UTC\r\nThe U.S Federal Bureau of Investigation is warning about an uptick in online extortion scams that impersonate\r\nthe FBI and frighten people into paying fines to avoid prosecution for supposedly downloading child pornography\r\nand pirated content. This post offers an inside look at one malware gang responsible for orchestrating such scams.\r\nReveton ransomware scam page impersonating the FBI\r\nIn an alert published last week, the FBI said that The Internet Crime Complaint Center — a partnership between\r\nthe FBI and the National White Collar Crime Center — was “getting inundated with complaints” from consumers\r\ntargeted or victimized by the scam, which uses drive-by downloads to hijack host machines. The downloaded\r\nmalware displays a threatening message (see image to the right) and blocks the user from doing anything else\r\nunless he pays the fine or finds a way to remove the program.\r\nThe FBI alert said the attacks have surged with the help of a “new drive-by virus” called Reveton; in fact,\r\nReveton and its ilk are hardly new. These types of attacks have been around for years, but traditionally have\r\ntargeted European users. The scam pages used in the attacks mimic official notices from various national police or\r\ninvestigatory agencies, corresponding to the country in which the victim resides. For a breakdown of these\r\nReveton-related ransomware scam pages by country, see this comprehensive gallery set up at botnets.fr.\r\nReveton.A is blamed in these most recent attacks, and the FBI said it appears Reveton is being distributed in\r\nconjunction with Citadel, an offshoot of the ZeuS Trojan that I have written about on several occasions. It is\r\ncertainly possible that crooks are using Citadel to deploy Reveton, but as I’ll illustrate below, it seems more likely\r\nthat the attackers in these cases are using exploit kits like BlackHole to plant both threats on victim PCs.\r\nINSIDE A REVETON MALWARE GANG\r\nhttps://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/\r\nPage 1 of 4\n\nOperations of one Reveton crime group. Source: ‘Kafeine,’ from botnets.fr.\r\nAt least that’s the behavior that’s been observed by a ragtag group of researchers that has been tracking Reveton\r\nactivity for many months. Some of the researchers are associated with botnets.fr, but they’ve asked to remain\r\nnameless because of the sensitivity of their work. One of them, who goes by the screen name “Kafeine,” said\r\nmuch of the Reveton activity traces back to a group that is controlling the operation using reverse proxies at\r\ndozens of servers scattered across data centers globally (see this PDF for a more detailed look at the image above).\r\nKafeine said the groups involved in spreading Reveton are constantly fine-tuning all aspects of their operations,\r\nfrom the scam pages to solidifying their back-end hosting infrastructure. The latest versions of Reveton, for\r\nexample, serve the scam pages from an encrypted (https://) connection, and only cough up the pages when an\r\ninfected machine visits and sends a special request.\r\nSome readers may have a hard time understanding how such schemes could be successful. To those folks, I say\r\nconsider the lucrative operations of the once-mighty scareware industry, which similarly hijacks infected machines\r\nwith warnings about malware until the victim relents and pays for some worthless and fake cleaner program.\r\nKafeine shared a couple of screen shots of two similar and recent ransomware scams (not Reveton-related)\r\ntargeting European users that shows just how successful these scams can be. Both of these images were obtained\r\nwhen security researchers stumbled upon statistics pages maintained by the criminal groups running the scheme.\r\nRansomware earnings on 5/17/2012\r\nhttps://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/\r\nPage 2 of 4\n\nThe one on the right, for instance, shows that the attackers managed to get their malware installed on 2,116 PCs in\r\nFrance, and of those, only 3.7 percent — 79 victims — opted to pay to rid their machines of the ransomware. But\r\nthose 79 victims each paid $100, earning the miscreants 7,800 Euros.\r\nThat’s the haul from just one country; bear in mind that this stats page shows the total take from a single day (May\r\n17, 2012). According to these stats, at least 322 people from all countries they ran the scam in opted to pay the\r\nransom that day, earning the attackers more than €28,000 (~$34,500)! The next day (the screen shot below left),\r\nthe miscreants earned €43,750 (~$54,000).\r\nRansomware earnings 5/18/2012\r\nUnlike scareware scams, ransomware schemes do not rely on credit card payments from victims — a key pressure\r\npoint for squashing affiliate programs that help spread this crud. Most previous ransomware schemes have used\r\nalternative payment systems such as Ukash and Paysafe. The Reveton attacks that spoof the FBI instruct victims\r\nto pay their “fines” via MoneyPak, which allows people who don’t have bank accounts to send money and pay\r\nbills at participating businesses. MoneyPak cards are available for purchase at Wal-Mart, CVS and other retailers,\r\nand can be reloaded with cash, and can be used to send money to PayPal accounts, prepaid credit cards, and to\r\npay bills for some cell phone companies and DirectTV.\r\nI mentioned earlier that most of these Reveton attacks that have been tracked so far used versions of the\r\nBlackHole exploit kit to deploy the malware. These are kits that are stitched into hacked or malicious Web sites,\r\nso that all visiting browsers are checked for a variety of insecure, outdated plugins, from Flash to Java to Adobe\r\nReader. Browsers that are found vulnerable will be handed a Trojan downloader that fetches Reveton and most\r\nlikely a copy of the password-stealing Citadel/ZeuS Trojan.\r\nKafeine and his fellow researchers recently gained access to one of the three main BlackHole exploit panels used\r\nby a Reveton malware gang. The screen shot below shows the BlackHole administration page; in the upper left\r\nportion of the image, we get a sense of how much traffic these crooks see on any given day. It shows that in just\r\none day, the exploit kit was sent more than 187,000 potential victims, and that more than 11,000 of those were\r\nsuccessfully seeded with Reveton. The “exploits” stats in the upper right portion of the image show that, once\r\nagain, insecure and outdated installations of Java remain by far the most popular vehicle for exploiting PCs.\r\nhttps://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/\r\nPage 3 of 4\n\nA recent screenshot of a BlackHole exploit kit panel used by a group spreading Reveton. Source: Kafeine from\r\nbotnets.fr\r\nA number of Web sites include instructions for removing the Reveton malware without having to pay the ransom\r\n(here’s one example). But it’s important for readers to understand that if you have been hit by a ransomware\r\nattack, the ransomware component is almost certainly just the most visible of the threats that reside on your\r\nsystem. For one thing, Kafeine said, the latest Reveton versions will steal all passwords stored on the victim’s PC.\r\nWhat’s more, the FBI’s report indicates Reveton is being bundled with Citadel, which is an extremely powerful\r\nand advanced family of malware that can be quite difficult to remove.\r\nAttacks such as Reveton illustrate the need to have a solid plan for backing up your data, because the surest way\r\nto clean a machine infected with the likes of Reveton is to completely reinstall Windows (from the Master Boot\r\nRecord on up). The most advanced ransomware threats (the subject of a future post) will steal your passwords and\r\nthen encrypt all of your important files before demanding a ransom payment.\r\nSource: https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/\r\nhttps://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/"
	],
	"report_names": [
		"inside-a-reveton-ransomware-operation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434498,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32524244c6ff7e877f4380ac07e8e99c404abf33.pdf",
		"text": "https://archive.orkl.eu/32524244c6ff7e877f4380ac07e8e99c404abf33.txt",
		"img": "https://archive.orkl.eu/32524244c6ff7e877f4380ac07e8e99c404abf33.jpg"
	}
}