In May 2012, the Internet Crime Complaint Center posted an alert about the Citadel malware platform used to deliver ransomware known as Reveton. The ransomware directs victims to a drive-by download website, at which time it is installed on their computers. Ransomware is used to intimidate victims into paying a fine to “unlock” their computers. Paying the fine does nothing to solve the problem with the computer; do not follow the ransomware instructions. The ransomware has been called “FBI Ransomware” because it uses the FBI’s name.
The ransomware is pushed to victims’ computers when they browse common websites, specifically when they query popular search terms. Once the web browser is exploited, the victim’s computer displays a pop-up warning that appears to be from the FBI. Cyber criminals use “FBI.gov” within the URL to make the warning appear more legitimate.
As the FBI saw in 2012, the warning accuses victims of violating various U.S. laws, then locks the user’s computer. To unlock the computer and avoid legal issues, victims are told they must pay a $300 fine via a prepaid money card. Attempts to close the warning page results in additional messages that reappear each time victims try to close their web browser.
The simplest way to remove the ransomware’s iframes is by clicking on the Safari menu and choosing the “Reset Safari,” option, making sure all check boxes are selected. You may also hold down the Shift key while relaunching Safari, which will prevent Safari from reopening windows and tabs from the previous session. Victims can also disable the reopening feature across OS X from the General pane of System Preferences.
Ransomware messages are an attempt to extort money. If you have received a ransomware message, do not follow payment instructions. Be sure to file a complaint at www.IC3.gov.
Update: Citadel Malware Continues to Deliver Reveton Ransomware in Attempts to Extort Money (July 27, 2013)
The FBI’s Internet Crime Complaint Center (IC3) and the Department of Homeland Security (DHS) have recently received complaints regarding a ransomware campaign using the name of DHS to extort money from unsuspecting victims.
In May 2012, the IC3 posted an alert about the Citadel malware platform used to deliver ransomware known as Reveton. The ransomware directs victims to a download website, at which time it is installed on their computers. Ransomware is used to intimidate victims into paying a fine to “unlock” their computers. The ransomware has been called “FBI Ransomware” because it frequently uses the FBI’s name, but similar ransomware campaigns have used the names of other law enforcement agencies such as DHS and IC3.
As in other variations, the ransomware using the name of DHS produces a warning that accuses victims of violating various U.S. laws and locks their computers. To unlock their computers and avoid legal issues, victims are told they must pay a $300 fine via a prepaid money card.
This is not a legitimate communication from law enforcement, but rather is an attempt to extort money from the victim. If you have received this or something similar, do not follow the instructions in the warning, and do not attempt to pay the fine.
It is suggested that you:
- Contact a reputable computer expert to assist with removing the malware.
- File a complaint at www.IC3.gov.
- Keep operating systems and legitimate antivirus and antispyware software updated.