Tuesday, December 11, 2012

New "drive-by" ransomware impersonates the FBI, seems to have affected thousands in US already

Various media sources have reported a piece of malware that seems to take the form of a “drive-by” attack (upon visiting certain infected websites), called “Reveton” or “Moneypak” (these may be similar but different items).  They interrupt the user’s (Windows) experience with a warning purporting to be from the FBI (or IC3) that your computer is locked, with a demand to pay ransom through a credit card.  Of course, paying the ransom doesn’t free the computer. This is somewhat different from some previous malware in that it doesn’t appear to offer “fake” anti-virus software.  It may disable existing anti-virus software, particularly if it is out-of-date.

The FBI (in Tennessee) has a warning about the idem here.

Of course, the FBI and other law enforcement agencies and police departments do not interrupt users with malware like this (although maybe the Stuxnet planted against Iran makes people wonder).  Law enforcement normally contacts or apprehends suspects directly. 
The IC3 version is described in SC Magazine here.

Station WJLA in Washington DC has a story today on the item.

Norton offers a removal tool for this item, which may not work in all environments, here. It may work if you use a different anti-virus product, but it is better to contact your own anti-virus company. 

Botcrawl has the most detailed discussion of “Monkeypak” that I can find, with very detailed removal instructions (involving Windows commands and safe mode).  The user may want to print this out.  The link is here.

The virus seems to make use of the webcam on a PC or laptop.  
Many users would have to take an infected computer to a service (like Geek Squad) to unlock the machine.
 It’s a good idea to have a service contract (about $200 a year) if you have several computers and laptops.

No comments: