Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Reveton Ransomware Upgraded to Steal Passwords

The notorious Reveton ransomware has been updated to steal passwords and credentials, according to researchers with security firm Avast.

The notorious Reveton ransomware has been updated to steal passwords and credentials, according to researchers with security firm Avast.

This latest edition affects more than 110 applications and turns the victim’s computer into a botnet client. The malware also steals passwords from five crypto currency wallets, and its banking module is set to target 17 German banks. In all cases, Reveton contains a link to download an additional password stealer.

“Reveton [uses] one of the best password/credentials stealer on the malware scene today,” Avast reported in a blog post. “Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.”

Pony includes 17 main modules like operating system credentials, FTP clients, browsers, email clients, instant messaging clients, online porker clients and more than 140 submodules.

The new version of Reveton also has an upgraded lockscreen module. The authors of the malware divided the program into multiple threads, changed the encryption, saved the payload to registry and recreated communication with command and control servers.

“Reveton has also prepared another password stealer downloaded from the Papras family,” Avast researchers noted. “This malware is not as effective as the Pony but contains a powerful AV kill/disable function.”

According to Avast, the most common infection is via some well-known exploit kits, such as Fiesta, Nuclear and Sweet Orange.

In 2012, the FBI issued a warning about Reveton after complaints came pouring in to the Internet Crime Complaint Center about fake messages from the FBI demanding recipients pay a fine for visiting child pornography sites on the Web. Those that didn’t pay would have their computers locked. The ransomware scam demanded victims pay $200 to get control of their computers back.

“As we have shown, the high profits from the former Reveton model, unlocking the infected computer after the user pays a ransom, is not enough,” according to Avast. “Malware authors have decided to enter into a new black business area. Passwords to various systems and crypto currency wallets are a very lucrative commodity today. Some passwords (FTP, emails, IM…) are perfectly suited for spreading their malware and build stronger botnets.”


Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...