Europol makes no mention of Reveton, describing it only as ‘a prolific ransomware cybercriminal gang’. Knowledge that this is indeed Reveton comes from Rik Ferguson, VP of security research at Trend Micro. “I’m happy to say,” he reported yesterday, “that, as a result of close cooperation between Trend Micro threat research and Spanish law enforcement a number of important arrests have been made in connection with the Reveton ransomware.”
Reveton, otherwise known as the ‘police trojan’ or ‘police virus’ is possibly the most prolific of all the current ransomware trojans, often being distributed via some of the leading exploit kits. According to a Spanish police announcement, the group was taking in excess of €1 million per year. Since its first detection in May 2011, the Spanish police have received more than 1,200, although “the number of injured is certainly much higher.”
Codenamed Operation Ransom by the police, there have been eleven arrests so far – the first being one of the Reveton gang’s leaders while in Dubai, “responsible for the creation, development and international distribution of the various versions of the malware,” says Ferguson. The Spanish police are reported to be seeking his extradition to Spain. The ten other arrests occurred in Spain itself – six Russians, two Ukrainians and two Georgians. This was the money laundering cell based in the Costa del Sol responsible for transferring the proceeds to Russia.
“The financial cell of the network,” announced Europol, “specialized in laundering the proceeds of their crimes, obtained in the form of electronic money. For this, the gang employed both virtual systems for money laundering and other traditional systems using various online gaming portals, electronic payment gateways or virtual coins. They also used compromised credit cards to extract cash from the accounts of ransomware victims via ATMs in Spain. As a final step, daily international money transfers through currency exchanges and call centers ensured the funds arrived at their final destination in Russia.”
The effect of this bust will certainly disrupt the Reveton gang. Reveton itself, however, is unlikely to go away. The main gang would appear to be located in Russia, from where Europe and the US have no extradition treaty. Money laundering, particularly in Spain, has been disturbed, and one of the gang’s leaders has been arrested; but the remainder of the Russian gang continues. “The malware itself is still out there and is used by others,” Ferguson told Infosecurity. “Although the arrest does not constitute the entirety of the gang, we can say that this is a significant disruption to the gang's activities.”