Reveton – the universal extortion instrument
Researchers have been investigating not just the intricacies of the malware code that these ransomware programs deploy to infect your computer, but the money trail that is left by those who either don't know where to turn for help, or are intimidated by the threats included in the ransomware's blocking screen.
A French security expert and blogger known by the handle Kafeine and his colleagues from the botnets.fr project have managed to access a BlackHole exploit panel associated with Reveton distribution.
Blackhole and Styx exploit kits are often used to infect systems with this ransomware, and the most effective means of infection is by exploiting weaknesses in Java. The control panel shows this clearly.
Once a system is infected there is always the possibility that the user will look for ways to remove it, either by searching the internet for removal guides or by seeking help online in one or other of the self-help forums. Probably only rarely will a user pay to have the infection removed since the cost of doing so is likely to be nearly as much as the ransom demanded, and the fear and embarassment factor will mitigate against allowing outsiders to have access to the system.
What this means is that the success rate, for the ransomware distributors, is going to be less than they might hope for (which is why some of them are now resorting to encrypting files). The proportion of users who pay the ransom seems to differ from country to country, but the calculations derived from access to the control panel indicate that the controllers can count on receiving about 40,000 Euros per day. And that is from just one operation among many.
The money, of course, has to be laundered to get it back to the controllers, and they will expect to receive only a part of that 40,000 Euros. Laundering money costs money. Assuming that half of that amount goes to intermediaries, they will still get in the region of 7 million Euros a year for their efforts.
Kafeine from botnets.fr has outlined the entire infrastructure of Reveton distribution and monetizing details in the following graphic:
These screenshots were taken from the privacy-pc.com report (see below), which has a link to an earlier analysis of the FBI Moneypak ransomware containing removal guides.