Reveton ransomware now comes with password stealers

The Reveton screen-locking ransomware is still with us, and it’s evolving. According to Avast researchers, the latest generation of the malware also includes information stealing capabilities.

One of the new modules is Pony, a universal password stealer that occasionally gets added to trojans that have a modular structure.

“Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms,” the researchers shared.

The module collects information such as local passwords, credentials for FTP clients, download managers, email and IM clients, online poker clients, passwords stored in browsers, VPN credentials, and so on. All in all, Pony affects more than 110 applications, but if that is not enough, Reveton contains a link to download an additional password stealer.

New Reveton variants also have two additional information stealing modules: one that steals passwords of the most widely used digital wallets, and one that searches browser history and cookie files for banking credentials.

Even the lockscreen module has been upgraded. “The authors divided the program into multiple threads, changed the encryption, saved the payload to registry, and recreated communication with C&C servers,” the researchers noted.

It seems that Reveton developers have decided to diversify the malware’s capabilities in the wake of the onslaught of ransomware. It’s likely that users are getting wiser and are not getting scared into paying up as much as before.

The information stealing modules can provide the malware peddlers with at least some passwords they can sell on underground markets. “Passwords to various systems and crypto currency wallets are a very lucrative commodity,” the researchers noted. “Some passwords (FTP, emails, IM-¦) are perfectly suited for spreading their malware and build stronger botnets.”

Users are urge to regularly back up their files so that their computer can’t be held for ransom in this type of scheme. Users who have fallen victim to these newer Reveton variants can follow Avast’s disinfection instructions and are urged to change passwords for all accounts and online services as soon as possible.




Share this