Seized Server Yields Details on Icepol (aka, Reveton) Ransomware Infections

The malware was ransomware known as Icepol, better known as Reveton in the US
The malware was ransomware known as Icepol, better known as Reveton in the US

The malware was ransomware known as Icepol, better known as Reveton in the US.

The distribution method, says BitDefender, "suggests a pyramid scheme, as the analyzed server downloads files from the another domain but functions, itself, as a malware download location for sub-affiliates." In the five months before the September seizure, this server logged 267,786 successful installs of the malware, with most of them in the US.

"The Icepol ransomware," explain the researchers, "adds itself to the Startup Registry key in order to ensure persistence after every reboot. As soon as the computer starts, the screen gets locked and displays a message in the user’s language, if the user is located in a country that speaks one of 25 languages. The message states that the computer got locked as suspicious activity (download of copyrighted material or of 'illegal pornography') was detected. Of course, the system can be unlocked by paying a ransom, euphemistically described as a 'fine.'"

Victims paid a total of 158,376 monetary units (thought to be US$), with more than 32,000 coming from the US in order to unlock their computers.

Further details were announced in a press statement (in German) released on Wednesday. The three most infected countries were the US (42,409), Germany (31,709) and Italy (24,863). It is being reported elsewhere that more than 10,000 infections took place in the UK. All of this comes from just one distribution server in the pyramid scheme. 

"The Romanian server is part of a large distribution system from malicious programs that may consist of dozens of similar servers," explains BitDefender. "These are organized like a pyramid, with a number of partner servers connected to a C&C server, which is responsible for the distribution of malware. The unit of Romania communicated originally with a C&C server from the Netherlands." 

The seized server had two primary functions: to distribute the Icepol ransomware, and to run a pay-per-click fraud operation using a traffic exchange mechanism. "The criminal underworld apparently has malware distribution networks (MDN) that work very similar manner to legitimate CDNs, even down to transfer and syndication models for fundraising," commented Catalin Cosoi, chief security strategist Bitdefender.

Ransomware generally uses one of two methods – locking the computer or encrypting its content. Icepol uses the former method. Since the success of CryptoLocker from the latter part of last year, however, many security experts now believe that ransomware will increasingly migrate from locking to encrypting.

What’s Hot on Infosecurity Magazine?