PARIS - The hunt lasted for more than a year. In February, the Spanish police announced that they had arrested 11 people suspected of belonging to one of the most sophisticated cybercrime networks in the world.
The hackers were from Russia, Ukraine and Georgia. They had created a super-virus called Reveton, specifically designed for cyber-kidnapping. This malware is capable of accessing any computer and blocking all access to the machine and its data. When the user tries to use his computer, a message pops up demanding a ransom – of 100 to 200 euros – to unlock it.
These kinds of viruses are called “ransomware” and have fast become a cybercriminal’s favorite weapon.
The perfect con
According to Symantec’s annual Norton Cybercrime Report, every second 18 adult Internet users are a victim of cybercrime – one and a half million victims every day around the world. And the phenomenon is growing.
The McAfee antivirus company recorded 120,000 new ransomware viruses in the second quarter of 2012, a fourfold increase from the previous year. This is because ransomware is much more efficient than phishing, which consists in obtaining the user’s banking information in order to empty his account.
Symantec researchers recently estimated that ransomware scams net $5 million a year. But this is only the tip of the iceberg: “Only 2.9% of all people affected by ransomware end up paying the ransom, but this number is increasing,” says Candid Wueest from Symantec. “As the amounts are relatively low, victims rarely press charges.” The hackers, who are rarely caught, can make up to $33,000 a day, according to Symantec.
[Screenshot of a ransomware - Source: FBI]
Pierre Siaut, a French security expert at TrendMicro who participated in the hunt for the Reveton hackers, says, “This case was particularly interesting. The Reveton malware displayed a message identical to the ones sent by the police: logo, legal references, fines.”
The Reveton virus is part of a recent spate of “police themed” ransomware, which use law enforcement imagery to send official-looking warning messages. The messages claim the user’s computer is locked because its user visited websites linked to terrorism or child porn etc., and say users must pay a fine for the computer to be unlocked.
With this elaborate scam, the victim is much more liable to pay up. Reveton is so elaborate that it is even able to identify the user’s language and country through the computer’s IP address. This information enables the virus to issue a tailored message with specific references to the country’s legislation.
According to the police, the gang behind Reveton has netted millions of euros in more than 30 – mostly European – countries. Europol, the European police agency believes that there have been at least 20,000 victims of this virus.
Hunting down the hackers
In a normal cyber-kidnapping situation, the ransom is often asked in virtual money. The user must then convert his money into virtual currency via services like Ukash or MoneyPak, and then enter a code in his blocked computer. The computer will not do anything, but the money will be automatically transferred to the pirate, who will then launder it through a casino or poker website. He will play for a few minutes and then cash out from the game and collect his euros.
“In the Reveton case, the message asked to pay with prepaid cards,” says Pierre Siaut. “The victim was asked to buy a prepaid card at a service station and enter a code to transfer the money.” This is why it was so difficult to hunt down the cybercriminals, says Siaut: “The prepaid cards are almost impossible to trace on the Internet.”
Pierre Siaut says that instead of following the money trail, he had to follow the hackers’ trail. “We discovered that they had hacked into the databases of news websites. “They retrieved the registered users’ personal data, and then sent them spam luring them into fake websites.” The Reveton Trojan, which was hidden in the code of the fake website, used flaws in web browsers to install the ransomware on the victim’s computer.
The pirates had also managed to target users that were liable to engage illegal activity on the Internet, such as visiting child porn sites.
“These arrests are the results of months of research, investigation and analyses to help the police. We had a special team on the case,” says Pierre Siaut. The terrible thing, he says, is Reveton is still active: “We couldn’t take it down completely.” Europol has, for now, detected no less than 48 active Reveton mutations.