Police-themed ransomware speaks to victims — literally

A new variant of a Trojan program called Reveton that prevents victims from using their computers and displays rogue messages from law enforcement agencies is using localized voice messages to trick victims into paying made-up fines, according to researchers from antivirus vendor Trend Micro.

“Detected as TROJ_REVETON.HM, it locks the infected system but instead of just showing a message, it now urges users to pay verbally,” Ivan Macalintal, threat research manager at Trend Micro, said Monday in a blog post. “The user won’t need a translator to understand what the malware is saying — it speaks the language of the country where the victim is located.”

Reveton is part of a category of malicious programs called ransomware that block certain OS features or encrypt personal files and ask victims for money in order to return their system to normal.

This particular Trojan program is also known as the “police ransomware” because it displays fake alerts purporting to come from law enforcement agencies in various countries and instruct victims to pay a fine for allegedly accessing or storing illegal content on their computers.

Reveton determines the country where the infected computer is located and displays a message in that country’s national language purporting to come from a local law enforcement agency. It first appeared in 2011 and spread throughout Western Europe infecting computers in Germany, Spain, France, Austria, Belgium, Italy, the U.K and other countries.

The first variants targeting U.S. and Canadian computer users appeared in May 2012. At the end of November, the Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), issued an alert that Reveton was being distributed by the Citadel banking Trojan program and was using IC3’s name in its rogue alerts.

“There has been the occasional instance of malware with sound effects,” David Harley, a senior research fellow at antivirus vendor ESET, said Monday via email. However, “malware with a regionalized, quasi-personalized voice message is new on me,” he said.

Harley hasn’t yet heard the voice messages played by this particular Reveton variant, but he believes if they are implemented effectively — for example, English messages claiming to be from the FBI don’t have a heavy Eastern European accent — some people are likely to find them intimidating.

The malware’s novel voice feature might make the scam marginally more convincing to some users, Harley said. However, it’s unlikely that it would manage to persuade people who would be reasonably cautions about such scams, he said.

According to a recent report from security vendor Symantec, there are as many as 16 distinct families of ransomware, each controlled by individual cybercriminal gangs. An investigation into a command and control server used in one ransomware operation that resulted in 68,000 infected computers in October, revealed that as many as 3 percent of the victims might have paid the amount asked by the cybercriminals, possibly earning them as much as US$394,000 that month.

Harley advised people whose computers were infected by ransomware not to pay up. There is no guarantee that the criminals will unlock the system, he said. “In many cases where ransomware has taken hold, the crook has just taken payment and moved on without offering any help.”

The best option is to call the help desk of your antivirus vendor, because they can hopefully pin down the exact variant and advise you on how to remove it, he said.