Reveton ransomware - exposed, explained and eliminated

Uploaded by SophosLabs on 29.08.2012

Hello everybody.
By special request of Naked Security readers, here's a quick video about Ransomware.
In other words, malicious software that locks you out
and demands money to let you back in.
Today's ransomware example is known as "Citadel", or "Reveton",
or simply as "Troj/Ransom".
It can get onto your PC in lots of ways:
via a email attachment, on a USB key, from a poisoned website.

But what matters is what happens when it triggers.
It'll kill off your desktop, fill the screen with a browser window,
and then lock you out of everything, except for a "now you've got to pay a fine" page.

Some variants even activate your webcam so think you're under surveillance.
It'll show you your computer's IP number.
It gives you a reason for the fine - usually claiming it's got
something to do with copyright infringement.
It specifies an amount you can pay to avoid criminal charges.
And it shows you how to pay, usually using some largely anonymous online mechanism.

And you won't only see the FBI's logo.
The crooks have also prepared web pages for Belgium, and Canada, Finland,
Greece, Sweden, the UK and loads more.
So. If this happens to you:
Number one. Don't panic.
The damage is already done, and in this particular case, you can probably recover just fine anyway.
Number two. Whatever you do, don't pay up.
After all, the only thing you know about the guys behind the web page
is that they are crooks.
And number three. Talk to someone you know and trust for help.
How to clean up depends on lots of things; here I'm going to use the
Sophos Bootable Anti-Virus, or SBAV.
This lets me bypass Windows during bootup, so no malware can get in the way,
and it means I can then scan and clean my hard disk.
And this is using Sophos Anti-Virus for Linux running straight out of memory.
And that's that. Sorted!
When I reboot, I get back control of my PC.
And, by the way, a properly updated anti-virus
would almost certainly have prevented all of this in the first place.

So, please, keep your anti-virus up to date and activated,
and stay current with software patches,
Both of these make things harder for the bad guys.
And remember, when it comes to cybercrooks:
"Don't buy, don't try, don't reply."
They have only your worst interests at heart.
Thanks for listening, folks, and until next time, stay secure.