A Russian man accused of being a key figure behind the notorious and hugely successful Reveton “police ransom” malware, which has successfully blackmailed thousands of PC users across the world, has been arrested in Dubai, Spanish police announced last week.
Unpicking exactly what has happened will be difficult – such gangs are global concerns with multiple outlets – but the arrest could be of major significance.
According to security firm Trend Micro, which said it had collaborated in tracking down the perpetrators, police traced the unnamed man through its payment channel which funnelled through Spain.
Payment is the one weakness for ransom malware, which depends on typically blackmailing its PC victims into sending money in order to have control of their PCs unlocked and ‘returned’ to them.
Reveton’s attack method was to convince infected users that they had been detected as having committed a non-existent computer crime and that they should pay a fine to a police force localised to the victim’s home country.
Failure to do so would render the PC unusable or make it impossible to access files bar the ability to open a web browser in order to pay the ransom.
This was accepted in PaySafeCard/UKash vouchers, which were, Trend said, laundered into real cash before being forwarded to the arrested man’s gang.
Police said the Spanish operation netted one million euros per year, likely only a fraction of what was being made globally. A further ten people associated with the operation were also picked up, including Ukrainians, Russians and Georgians, police said.
“These arrests are a tremendous result from the ongoing work and collaboration between the Spanish police and Trend Micro’s eCrimes unit, which works extensively and collaboratively with law enforcement authorities across the globe,” said Trend Micro.
The exact number of victims will likely never be known – and new victims are still being claimed by Reveton even now – but must run to hundreds of thousands at a minimum.
In August, the FBI warned US consumers about Reveton after being “inundated” with reports of infections.
Ransom malware has grown into a major headache for police forces, partly because it has affected the SME sector especially badly, sometimes in conjunction with targeted attacks on small businesses, including one small Australian medical centre that had its entire database encrypted.
Exactly how many crime hubs are using the ransom technique is hard to know; Reveton is certainly not the only such campaign out there. A recent Symantec report estimated the profits from ransom attacks as being huge.
It is unlikely that the arrests will make more than an important dent in both Reveton or ransomware in general.
“Before we all start celebrating, it must be said that in our opinion, based on our research of the Police Virus [Reveton], there is more than one group behind the attacks,” commented Luis Corrons of antivirus firm Panda Security.
“We’ve reached this conclusion after having studied multiple variants of this malware over time and having detected numerous striking differences among them.”