Chris Boyd, a senior threat researcher at ThreatTrack Security, announced yesterday, "Today we saw a Reveton hijack which ditches the locked desktop in favour of something a little more old school – horror of horrors, a piece of Fake AV called Live Security Professional."
The original malware is clearly Reveton. It is delivered via an exploit kit from an URL that victims are enticed to visit. In particular, says Boyd, "It drops the familiar .pad and .js associated with Reveton, using rundll32.exe to launch a .dll file." In other words, "it behaves like Reveton except that it doesn’t lock the screen and uses a rogue instead which is an interesting shift in tactics." This is a sudden volte face, he adds, "given that Ransomware is currently pulling out all the stops to hijack end-users and force them to pay up."
Infosecurity asked Graham Cluley what might be behind this change of tactics. He thinks it might simply be the criminals mixing it up. "When you're producing dozens and dozens of new variants of a piece of malware all doing the same thing", he told Infosecurity, "it must be tempting to mix things up from time to time, and try something new... or attempt an old trick again to see if it catches anyone out."
Ransomware could even have become a victim of its own success. As it becomes more and more prevalent it's likely that its success rate reduces: "So why not have another go at a fake anti-virus scam instead?"
Luis Corrons, technical director at PandaLabs, takes a similar view – but paints a highly organized picture. "Cybercriminals have certain notions of marketing and sales", he told Infosecurity, "and they put them into practice. These cybercriminal gangs focused on ransomware are also diversifying infections. We have seen how the same guys are infecting with 'police virus' waves, and then changing to ransomware, then going back, and so on. I guess that the odds on the same victim paying twice for the same scam are lower than paying for two different scams. In this scenario, using a third option (fake AV) makes some sense."
After all, he suggests, it's cheap. "They can reuse all their infrastructure, they can infect users through the same ways, they can encrypt and change their binaries using the very same tools, and so on."
Cluley doesn't think much of an alternative motive. Ransomware criminals are thought to keep their activities relatively low-key in order to avoid the full ire of law enforcement. Could this be, then, the bad guys temporarily taking the heat out of the situation?
Cluley thinks not, suggesting that the ransom isn't set higher than it usually is because "people simply wouldn't be able to pay it, and so would investigate other ways to get around the problem (either by contacting the cops to say that they hadn't been doing anything naughty, or finding out how to unlock their computer)."
The real reason for his doubts, however, is that he believes the criminals don't think they can be caught. "They will carry on using ransomware to steal money from the innocent for as long as it is financially beneficial to them, or until another way of stealing money proves more effective."
Which leads us to a third option: this is simply a new gang or existing gang that has started to use Reveton to deliver its own expertise: fake AV. Reveton is traditionally associated with the Citadel botnet. This new version, says Chris Boyd, is delivered by the Sweet Orange exploit kit.