A veteran strain of ransomware called Reveton has mutated once again and is now infecting Windows PCs in the United States and abroad by disguising itself as Windows library, or DLL, files, in order to better escape the notice of victims.
Once it infects a computer, the new version of Reveton behaves much as its predecessors have: It locks the computer screen with an official-looking notice purporting to be from police or another law enforcement agency, along with a warning that the user has broken laws (often related to sexual images) and must immediately pay a "fine."
Reveton is not crypto-ransomware, which gained prominence with the rapid spread of the Cryptolocker Trojan in late 2013. But as a direct descendant of the still-fearsome Zeus Trojan, Reveton, which first appeared in early 2012, is hardy and remarkably adaptable. Earlier this year, a Reveton variant for Android devices was discovered, followed by a strain of Reveton that combed Windows files for passwords, Bitcoin wallet and other sensitive information.
Researchers at Japanese antivirus security company Trend Micro have noticed that Reveton has changed up its PC infection method by making the infecting file a .DLL (dynamic link library) file instead of a .EXE (executable) file. As a .DLL file, Reveton shows up in a computer's Task Manager as "regsvr32" or "rundll32," both common processes that relate to .DLLs. This way, users are less likely to notice any suspicious activity.
The new Reveton variants go in the guise of notices from the U.S. Department of Homeland Security that tell device users "the work of your computer has been suspended on the grounds of unauthorized cyber activity" and that they have 48 hours to pay a $300 fine via MoneyPak.
"It might be jarring for users to suddenly receive a message supposedly sent by law enforcement agencies," Trend Micro research engineer Alvin Bacani wrote in a company blog post about the new Reveton strain. "However, they need to keep in mind that this is just a tactic intended to 'scare' users into paying the fee."
The United States seems to have the most infections of this new Reveton variant, at 62 percent of detected infections. Second is Australia at 13 percent, then Germany with 7 percent, Canada with six percent, and Italy, New Zealand and the United Kingdom each comprising only one or two percentage points.
Unlike crypto-ransomware, Reveton can be defeated, albeit through frequently arduous methods. Perhaps the easiest way is to run an antivirus "rescue disk" from a CD, DVD or USB drive that will scan the Windows directory for hard-to-remove malware.
Alternately, you can reboot the computer while holding the F8 key, which enables booting in "safe mode." If that fails, try rebooting from a CD, DVD or USB drive that lets you access the Windows directories.
In either case, look for suspicious .LNK files in both the user startup folders (C:UsersusernameAppDataRoamingMicrosoftWindow sStart MenuProgramsStartup) and the general startup folder (C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup) and remove the files.