Also known as: It has no widely known aliases, but it can sometimes be referred to as "Police ransomware" or "FBI ransomware."
Category: Malware
Type: Trojan, ransomware
Platform: Primarily Windows, but has appeared on other platforms, too.
Variants: Win32/Reveton, Win64/Reveton, Win32/Reveton.A, Win32/Reveton.B, Win32/Reveton.C, Win32/Reveton.Q, Win32/Reveton.Y, Win32/Reveton.AJ, Win32/Reveton!lnk, among others.
Damage potential: File and system lockout, operational disruption, data theft, ransom demands, reputation damage, and financial loss.
Overview
Reveton is a ransomware strain that often disguises itself as a law enforcement message, falsely accusing victims of criminal behavior. It was first detected in Europe in 2012 and quickly spread to other regions.
Unlike modern ransomware that encrypts files, Reveton usually only locks users out of their computers using a full-screen warning, claiming to be a law enforcement agency, such as the FBI, Interpol, or local police. It accuses the victim of illegal activity like piracy or possession of child pornography and demands a "fine" to be paid via online payment systems to restore access. The message changes based on location but always includes official-looking logos, the user’s IP address, and sometimes even a live webcam feed to make it seem real.
Reveton relies on social engineering and fear tactics to extort money. Sometimes it goes as far as showing the victim disturbing images to shame them into paying the ransom. The person may avoid seeking help from a friend or a professional if a screen falsely accuses them of engaging in this behavior.
Possible symptoms
You might only realize your computer is infected when a full-screen warning pops up, completely locking you out of your system. Although it rarely happens, Reveton might lock or encrypt your files until a ransom is paid.
You might also experience slow computer performance, unusual spikes in network activity, or unfamiliar processes running in Task Manager. Other signs to watch for include your webcam turning on by itself, changes in your browser settings and homepage, or the appearance of unusual shortcut files like “ctfmon.lnk” on your system.
Sources of the infection
Reveton might get on your computer through:
- Drive-by downloads from compromised websites.
- Malicious advertisements (malvertising).
- Exploit kits.
- Spam emails with infected attachments or links.
- Bundles with other malware as a secondary payload.
Protection
The best way to protect yourself from ransomware, and any malware for that matter, is to be alert and follow standard cybersecurity practices. Here are some tips to help you stay safer:
- Regularly update your operating system and all applications to patch vulnerabilities.
- Avoid visiting unverified or suspicious websites that may host harmful files.
- Be cautious when downloading and installing software, especially from unfamiliar sources.
- Never click on suspicious links or open unexpected email attachments.
- Use NordVPN’s Threat Protection Pro™ to block malicious websites and harmful ads.
Reveton removal
Do not pay the ransom to remove the ransomware. Doing so will not guarantee that your system will be unlocked, and it will only encourage the attackers to continue their malicious activity. Instead, follow these steps to remove Reveton from your system:
- Disconnect the infected device from the network to avoid further damage.
- Restart your computer in Safe Mode.
- Use a reputable antivirus software and run a full scan to detect and remove Reveton.
That said, relying on automatic tools to remove Reveton can be risky and may not fully remove the infection. If you're uncertain or unable to remove the malware manually yourself, it’s best to seek professional assistance.
