Ransom Virus Hits DuPage, Holds Files Hostage for Money

By Lorraine Swanson (Patch Staff)

A fairly recent drive-by computer virus that locks users’ files until they pay a ransom appears to have struck DuPage County.

An Elmhurst home appraiser reported on Jan. 29 he received a warning message on his computer that his files were locked. The message demanded he immediately pay an electronic bitcoin ransom of $500, or $1,000 at a later date to unlock his files, Elmhurst police said.

The home appraiser did not pay the ransom and told police that his company was sending over an information technology specialist to remove the virus.

The Reveton ransomware virus, sometimes referred to as the FBI Moneypak or FBI virus because some versions carry the FBI logo, is designed to extort money from computer users by locking their files.

The FBI Internet Crime Complaint Center, or IC3, described the virus as drive-by malware because unlike many viruses which activate when users open a file or attachment -- this ransomware installs itself when users simply click on a compromised website.

Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law.

Some versions carry a bogus message purporting to be from the FBI or Department of Justice telling users their Internet address has been used to view child pornography, illegally downloaded media or other illegal online activity.

In addition to bitcoins, users are instructed to unlock their machines by paying a fine using a prepaid money card service.

Some victims have paid the so-called fine, said Donna Gregory, of IC3. Unfortunately for users, there is no easy fix for computers that become infected.

“We are getting dozens of complaints every day,” Gregory said in an FBI alert. “Unlike other viruses, Reveton freezes your computer and stops it in its tracks. And the average user will not be able to easily remove the malware.”

The IC3 suggests the following if you become a victim of the Reveton virus:

• Do not pay any money or provide any personal information.
• Contact a computer professional to remove Reveton and Citadel from your computer.
• Be aware that even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programs.
• File a complaint and look for updates about the Reveton virus on the IC3 website.

Microsoft’s Malware Protection Center recommends that users stay up to date on the latest antivirus and security software to protect their machines. The company also offers remedies for cleaning PCs and removing the malware, and recovering files.