FBI MoneyPak Ransomware

Last updated
FBI Ransomware
Technical nameReveton Ransomware
Seal of the Federal Bureau of Investigation.svg
FBI logo used in the ransomware
Ransomware-pic.jpg
The ransom note left on an infected computer. The ransomware fraudulently claims that the user must pay a "fine" to the FBI.
Classification Ransomware
Origin United Kingdom
Technical details
Written inEnglish

The FBI MoneyPak Ransomware, also known as Reveton Ransomware, is a ransomware that starts by purporting to be from a national police agency (like the American Federal Bureau of Investigation) and that they have locked the computer or smartphone due to "illegal activities" and demands a ransom payment via GreenDot MoneyPak cards in order to release the device. [1] [ self-published source? ] [2]

Contents

Operation

The FBI ransomware starts often by being downloaded accidentally or visiting a corrupt website and running an application with a modified JavaScript code. [3] The virus starts with a splash screen that contains the FBI's official logo with a warning that the computer has been locked. [1] Depending on the version, the reason given is mainly either because of alleged copyright violations and/or because of purported child pornography offences. [4] Sometimes other crimes, such as terrorism and gambling are included. [5] It will also show the supposed IP address and sometimes a still from the user's webcam. The virus then demands between $100 and $1000 paid via pre-paid MoneyPak cards in order to release the infected hardware. [1] If the payment is not made, then it alleges it will open a criminal investigation into the owner. [1] The virus creates an iframe loop which prevents the user exiting the browser or website. [3] The virus will be installed on the infected device so it still requires removal from the device. [6]

Reaction

In 2012, the FBI published advice relating to the FBI MoneyPak virus, telling people not to pay the ransom as it was not from the official FBI and confirmed it was not the real FBI who had locked the computers. [7] They also stated that users should go through authorized PC security firms to remove the ransomware or inform the IC3 – Internet Crime Complaint Center. In 2018, the FBI announced that working with the United Kingdom's National Crime Agency (NCA), they had arrested a number of people distributing the malware in the United States and that the NCA had arrested the creator of the virus in the United Kingdom. [7]

Some people had been fooled into thinking that the virus was a legitimate warning from the FBI. One man complained about the FBI blocking his phone for child pornography which was attributed to the virus; however, he had admitted that he did have child pornography and was arrested by the police. [8]

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

Operation Ore was a British police operation that commenced in 1999 following information received from US law enforcement, which was intended to prosecute thousands of users of a website reportedly featuring child pornography. It was the United Kingdom's biggest ever computer crime investigation, leading to 7,250 suspects identified, 4,283 homes searched, 3,744 arrests, 1,848 charged, 1,451 convictions, 493 cautioned and 140 children removed from suspected dangerous situations and an estimated 33 suicides. Operation Ore identified and prosecuted some sex offenders, but the validity of the police procedures was later questioned, as errors in the investigations resulted in many false arrests.

Operation Avalanche was a major United States investigation of child pornography on the Internet launched in 1999 after the arrest and conviction of Thomas and Janice Reedy, who operated an Internet pornography business called Landslide Productions in Fort Worth, Texas. It was made public in early August 2001, at the end of Operation Avalanche, that 100 arrests were made out of 144 suspects. It was followed by Operation Ore in the United Kingdom, Operation Snowball in Canada, Operation Pecunia in Germany, Operation Amethyst in Ireland, and Operation Genesis in Switzerland.

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Green Dot Corporation</span> American issuer of prepaid debit cards

The Green Dot Corporation is an American financial technology and bank holding company headquartered in Austin, Texas. It is the world's largest prepaid debit card company by market capitalization. Green Dot is also a payment platform company and is the technology platform used by Apple Cash, Uber, and Intuit. The company was founded in 1999 by Steve Streit as a prepaid debit card for teenagers to shop online. In 2001, the company pivoted to serving the "unbanked" and "underbanked" communities. In 2010, Green Dot Corporation went public with a valuation of $2 billion. Since its inception, Green Dot has acquired a number of companies in the mobile, financial, and tax industries including Loopt, AccountNow, AchieveCard, UniRush Financial Services, and Santa Barbara Tax Products Group.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

<span class="mw-page-title-main">Freedom Hosting</span> Defunct Tor web hosting service

Freedom Hosting was a Tor specialist web hosting service that was established in 2008. At its height in August 2013, it was the largest Tor web host.

The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access. Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user's location. The dark web forms a small part of the deep web, the part of the web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running on Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

Operation Tovar was an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which was believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.

Playpen was a darknet child pornography website that operated from August 2014 to March 2015. The website operated through the Tor network which allowed users to use the website anonymously. After running the website for 6 months, the website owner Steven W. Chase was captured by the FBI. After his capture, the FBI continued to run the website for another 13 days as part of Operation Pacifier.

Marcus Hutchins, also known online as MalwareTech, is a British computer security researcher known for stopping the WannaCry ransomware attack. He is employed by cybersecurity firm Kryptos Logic. Hutchins is from Ilfracombe in Devon.

Hitler-Ransomware, or Hitler-Ransonware [sic], is a form of ransomware created in 2016 originating in Germany. It requests payment within one hour; otherwise, it will delete files from the infected computer.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

In 2003, the New Jersey District Attorney's Office launched an investigation into the activities of the Belarusian firm Regpay Co. Ltd. The company created sites with child porn. The investigation was called Operation Falcon.

References

  1. 1 2 3 4 "Hand-to-hand combat with the insidious 'FBI MoneyPak ransomware virus'". Forbes. Retrieved 4 January 2019.
  2. "Reveton ransomware". FBI. 10 August 2012. Retrieved 1 April 2019.
  3. 1 2 "FBI MoneyPak ransomware". Government of New Jersey. 5 July 2016. Retrieved 4 January 2019.
  4. "New Internet scam". FBI. 9 August 2012. Retrieved 4 January 2019.
  5. "Ransomware Abettor Sentenced — FBI".
  6. "Remove the FBI MoneyPak ransomware or the Reveton trojan". bleepingcomputer.com. 5 July 2012. Retrieved 4 January 2019.
  7. 1 2 "Ransomware abettor sentenced". FBI. 6 December 2018. Retrieved 4 January 2019.
  8. "Man gets fake FBI child porn alert, arrested for child porn". CNET. 26 July 2013. Retrieved 4 January 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.