This weekend one of my most computer savvy family members had their security hardened laptop brought to its knees by the Citadel Reveton Ransomware. This is the story of an infected laptop and attempts at cleaning up a very advanced set of malware.
The Reveton Ransomware was first noticed in August 2012 with its very public attempt to extort money from unsuspecting users. The Ransomware locks up the victims’ computer with an official looking FBI message that states the victim has been caught downloading child pornography or other illegal materials and the victim must pay a fine to regain access to their computer and to clear the offending violation. Reveton is region specific, if your computer is in Germany, you will see a message from the German authorities.
The Reveton Ransomware is installed via the Citadel Malware platform. Citadel is an evolution of the infamous Zeus malware. Zeus was first introduced in 2007 targeting financial industry computers and accounts. Citadel, just like its predecessor is designed to steal credit card / bank account numbers and login credentials while adding the computer to the Citadel botnet to use it as a base of attack on other machines.
Both Zeus and Reveton are stealthily installed on a victim’s computer with a drive-by-download attack most often using the Blackhole exploit kit. The Blackhole exploit kit is a cloud based pay for service malware or malware as a service (MaaS) platform that installs web browser exploits on unsecured web servers for the purpose of installing malware on victims computers. In September 2012 Blackhole 2.0 was released with new exploits and antivirus circumvention technologies.
When a user visits an infected website Blackhole exploits a vulnerability in the users’ web browser to install Citadel. Citadel then installs Reveton.
The Laptop Story:
We are not sure how the laptop became infected, probably from visiting a sports related website.
The standard operating procedure with a malware infection is to download software like Malwarebytes and run it several times to remove the infection. Unfortunately Reveton locks the screen preventing web browsing and other computer activities forcing the cleanup to take a more indirect approach. This computer did have up-to-date antivirus running but it did not detect the malware.
It is important to remember that even if you remove the Reveton Ransomware the Citadel trojan is still running in the background collecting all your passwords and credit card numbers. You must make sure to remove both Citadel and Reveton.
The first step to remove this malware is to turn off all network access by either pulling the network cable or disabling the wireless card.
Removal approach 1: (this did not work)
Boot system into safe mode (Press F8 on boot) without networking and run Malwarebytes from a USB stick. Malwarebytes did find and delete parts of the virus, but when the machine was rebooted into full mode with networking the ransom screen returned.
Removal approach 2: (this worked but is very technical, if you are not experienced with modifying system files please consult technical support. Misconfiguring the system files could easily render your system inoperable.)
The second approach involved the application RogueKiller (Fr). RogueKiller searches and detects hidden System Service Dispatch Table (SSDT) hooks (rootkits), hidden processes, and corruption / changes to the Master Boot Record (MBR). RogueKiller does not actually delete anything; you will have to manually make changes to your system.
RogueKiller was able to find all sorts of bad files, registry keys, processes etc; and through manual deletion the infection was removed. Unfortunately one of the side effects of the infection is that many of the folder and file permissions were changed causing problems with security certificates, disk encryption, and application execution.
The laptop has now been straightened out and hopefully virus free.
There are many variants of the Citadel and Reveton malware in the wild. While the above approach worked to remove the virus you may find that it is not successful for your computer. If you are still infected after running anit-malware and anti-virus software search the internet for other solutions before resorting to wiping the computer and reinstalling the operating system.
If your computer is infected with Ransomware remember:
- Do not panic!
- Do not pay the ransom. These are criminals that only want your money
- Ask a trusted friend or the Service Desk (617-373-4357) for assistance
SecureNU: Steps to prevent malware infections
RogueKiller.Com: English Translation
Full Screenshot of the: FBI Ransomware