Follow:

 

Win32/Reveton


Microsoft security software detects and removes this family of threats.

This family of ransomware can lock your PC and show you a full-screen message, commonly called a "lock screen".

It pretends to be from the FBI or a national police force and tries to scare you into paying a fine to unlock your PC.

These threats can be installed on your PC when you visit a hacked webpage. We have also seen them installed by other malware.

You can read more about this type of on our ransomware page.



What to do now

Microsoft doesn’t recommend you pay the fine.  There is no guarantee that paying the ransom will give you access to your files.

If you've already paid, see our ransomware page for help on what to do now.

Run antivirus or antimalware software

Use the following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Enable MAPS 

Enable the Microsoft Active Protection Service (MAPS) on your system to protect your enterprise software security infrastructure in the cloud.

  1. Check if MAPS is enabled in your Microsoft security product:

    1. Select Settings and then select MAPS.

    2. Select Advanced membership, then click Save changes. With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

  2. Join the Microsoft Active Protection Service Community.  

Threat behavior

Distribution

Reveton ransomware is usually installed on a PC as a result of a drive-by download attack. For example, an exploit pack (such as Blacole and Axpergle) can install it, or you might encounter it if you visit a compromised webpage.

We have seen Exploit:Win32/Pdfjsc.ADY and Exploit:Win32/Pdfjsc.ADQ download Ransom:Win32/Reveton onto compromised PCs.

Installation

Threats in this family can create a shortcut file in the <startup folder>, so that it automatically runs every time Windows starts. This shortcut file has the following naming format:

  • ctfmon.lnk
  • regmonstd.lnk
  • <reverse malware file name>.lnk, for example, if the malware was installed with the file namefilename.dll, then the shortcut file would be namedemanelif.lnk
  • runctf.lnk
  • task scheduler.lnk

The ransomware also runs by manually clicking the shortcut.

If the malware can't create the shortcut file, it drops a batch file in the same folder as:

  • <reverse malware file name>.bat

Some variants copy themselves to %APPDATA% with a random file name and using one of the following extensions:

  • .cpp
  • .dat
  • .jss
  • .plz

For example, %APPDATA%\6j1fqm4L.plz.

Some variants can drop a copy of rundll32.exe in the %USERPROFILE%\application data directory with the file name lsass.exe. This file is then used to launch the ransomware. For example, lsass.exe <folder path>\<malware file name>.dll, GOF1

Other variants, such as Ransom:Win32/Reveton.X and Ransom:Win32/Reveton.Y launch the ransomware using the original rundll32.exe file located in <system folder>.

In some older variants, the ransomware creates a shortcut file with the file name <random file name>.dll.lnk.

As part of its installation process, some variants can also create these files:

On a 64-bit operating system, they might also create this file:

Some newer variants drop their files in %ALLUSERPROFILE%\Application Data\2992199f9a\.

Reveton ransomware variants can also makes changes your system registry so that it loads with the legitimate Windows process svchost.exe:

In subkey: HKLM\SYSTEM\ControlSet001\services\Winmgmt\Parameters\
Sets value: "ServiceDll"
With data: "<malware file name>"

Some variants make the following changes to the registry so that the ransomware runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Task Scheduler"
With data: "%ALLUSERPROFILE%\Application Data\task scheduler\task scheduler.exe"

In subkey: HKLM\System\ControlSet001\services\Winmgmt\Parameters
Sets value: "ServiceDll"
With data: "%ALLUSERPROFILE%\Application Data\<random>.plz"

Some Reveton variants might also add their dropped copy to the Data Execution Prevention (DEP) exception list. The variants do this to bypass certain checks made in Windows that would otherwise prevent the threat from running. The variants do this by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Sets value: "%ALLUSERPROFILE%\Application Data\task scheduler\Task Scheduler.exe"
With data: "disablenxshowui"

They might also inject themselves into these legitimate Windows processes to hide their actions:

  • explorer.exe
  • iexplore.exe
  • regedit.exe - hooks the function RegQueryValueExW in advapi32.dll to hide its registry keys
  • taskmgr.exe - hooks the function ZwQuerySystemInformation in ntdll.dll to hide its processes
Payload

Prevents you from using your PC

Reveton ransomware displays a full-screen webpage that covers all other windows, rendering your PC unusable. The image is a fake warning pretending to be from a legitimate institution which demands the payment of a fine.

Paying the "fine" will not necessarily return your PC to a usable state.

Some examples of localized images that variants might display are shown below:

 

   

 

An image of a lock screen pretending to be from the United States Department of Homeland Security:

 

An image of a lock screen pretending to be from the Department of Justice, USA:

An image of a lock screen pretending to be from New Scotland Yard, Metropolitan Police and Strathclyde Police:

An image of a lock screen pretending to be from the Bundespolizei, or German Federal Police, National Cyber Crimes Unit:

Images of lock screens pretending to be from the Federal Bureau of Investigation, or FBI:

An image of a lock screen pretending to be from the Computer Crime & Intellectual Property Section of the United States Department of Justice:

 

An image of a lock screen pretending to be from the Cuerpro Nacional De Policia, or National Police Corps of Spain:

An image of a lock screen pretending to be from the Guardia di Finanza, or Italian Financial Guard:

Downloads and runs other malware components

Malware in this family  can download and run customized .dll file payloads, such as the following:

  • Lock.dll, which the ransomware injects into browser process, including the following files, to display the fraudulent message:
    • chrome.exe
    • firefox.exe
    • iexplore.exe
    • opera.exe
  • FileMem.dll, which is an encrypted file that can perform different payloads, including information-stealing routines, and might be detected as PWS:Win32/Reveton

Reveton can also download a .dll file that it stores in a container file with a random name and a .bbr, .bxx, .dat, .fee, .pff, or .pad extension. For example, e8al.pad and rodolcdod.pff.

It puts this file in the %ALLUSERPROFILE%\Application Data or %TEMP% folders. This .dll file is used to display the lock screen message and can be detected as Ransom:Win32/Reveton.U or Ransom:Win32/Reveton.V.

It might load these files into memory, instead of downloading them to a specific location on your PC.

In the wild, we have seen variants download these .dll files, images, and other bundled malware from the following IP addresses, using port 80 or 443:

  • 37.139.53.204
  • 37.139.53.244
  • 46.165.220.180
  • 58.107.26.174
  • 62.212.82.37
  • 82.192.88.13
  • 85.143.166.132
  • 85.143.166.136
  • 146.185.218.52
  • 146.185.255.194
  • 195.191.56.194
  • 195.208.185.33
  • 199.115.114.209
  • 199.189.105.124
  • 204.45.15.202
  • whatwillber.com<
  • willber.com

We have also seen variants download and run another malware, such as PWS:Win32/Reveton.B. This malware can steal your user names and passwords for sensitive accounts, such as banking websites.

Modifies Internet browser settings

Some variants of Ransom:Win32/Reveton might modify Internet Explorer settings by making a number of registry modifications.

Disable Internet Explorer security warnings:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "NoProtectedModeBanner"
With data: "1"

Lock the Internet Explorer toolbar:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "Locked"
With data: "1"

Lower Internet zone security settings:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: "1609"
With data: "0"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: "1609"
With data: "0"

Modifies system settings

Some variants might disable the Task Manager by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"

Some Reveton variants might also prevent icons from displaying on your desktop by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideIcons"
With data: "1"

Ends processes

To prevent you from ending the malware process, some variants of Ransom:Win32/Reveton might end the process taskmgr.exe as soon as it runs.

Additional information

The origin of the name Reveton was taken from the first variant (Ransom:Win32/Reveton.A) that contains the string "NOTEVER". It is the reversed string for "REVETON".

We have observed that Win32/Reveton uses a variety of legitimate payment and financial transfer services, including:

These providers are not affiliated with Win32/Reveton.

If you believe you are a victim of fraud involving one of these services, contact them along with your local authorities.

Connects to servers

We have seen variants connect to the following IP addresses to download the other malware components and to upload information gathered by these malware components:

  • 37.139.53.204
  • 37.139.53.244
  • 46.165.220.180
  • 62.212.82.37
  • 199.115.114.209
  • 199.189.105.124
  • 204.45.15.202

Disables Windows components

Some Reveton variants can stop the Windows firewall. It also stops you from running Task Manager if your screen is locked.

Related encyclopedia entries

Ransom:Win32/Reveton!lnk

PWS:Win32/Reveton

Analysis by Amir Fouda and Edgardo Diaz


Symptoms

The following can indicate that you have this threat on your PC:
  • You have these files:

    <startup folder>\ctfmon.lnk
    <startup folder>\task scheduler.lnk
    <startup folder>\runctf.lnk
    <startup folder>\<random file name>.dll.lnk
    Lock.dll
    FileMem.dll


  • You see these entries or keys in your registry:
    • In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
      Sets value: "%ALLUSERPROFILE%\Application Data\task scheduler\Task Scheduler.exe"
      With data: "disablenxshowui"
    • In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
      Sets value: "NoProtectedModeBanner"
      With data: "1"
    • In subkey: HKCU\Software\Microsoft\Internet Explorer\Toolbar
      Sets value: "Locked"
      With data: "1"
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
      Sets value: "1609"
      With data: "0"
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
      Sets value: "1609"
      With data: "0"
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
      Sets value: "1609"
      With data: "0"
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
      Sets value: "1609"
      With data: "0"
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
      Sets value: "1609"
      With data: "0
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
      Sets value: "DisableTaskMgr"
      With data: "1"
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
      Sets value: "HideIcons"
      With data: "1"
  • You see the same images as shown in the Payload section

Prevention


Alert level: Severe
This entry was first published on: Aug 30, 2012
This entry was updated on: Jul 13, 2015

This threat is also detected as:
  • FBI virus (other)
  • FBI moneypak (other)
  • Lockscreen (other)