2012-12-21 - Evolution

Reveton - Winter Collection

Winter is coming, so is Reveton's Winter Collection (obviously replacing the Autumn Collection on which they added sound for some countries past month).

The new design was first spotted by Trend Micro on december 10th but was only limited to United States.
It was displaying a shocking picture. Since few hours the new design has been propagated to all targeted countries.

Reveton UK (12-2012) -
Is the Default if your country has no specific design

Reveton Winter Collection in one image

What's new ? It seems it's not speaking anymore. I guess that did not increased conversion rate at all...
There is a Tabbed system for payment.

You are warned that if you try to unlock your computer yourself you'll loose all your data.

<edit : 26/12/12> This is only a warning, this won't happen as explained by Jeet Morparia from Symantec here.</edit>

300$ in the US !

A count down :

It make think your Antivirus has been modified for cyber-criminals identification after signature of an International Treaty between LEA and Antivirus Vendors :

Good news ! They removed the shocking image that was on US Design and seen on the similar DE design of a Tobfy ( 0b1cfd537eb568089daf2892a8e22049 - c6378145d48ed77cbda7ea46ee670685 ) !

In choosen order

Reveton ES (12-2012)

Note to self :  Do not forget to respect the law in Spain.

Reveton RO (12-2012)

Hum wait...Senātus Populusque Rōmānus ??
Is it me or...
made me browse Wikipedia.
Now in alphabetical order :

Reveton AT (12-2012)
Reveton AU (12-2012)

Reveton CA (12-2012)

Reveton DE (12-2012)

Reveton CY (12-2012)

Reveton CZ (12-2012)

Reveton DE (12-2012)

Reveton FI (12-2012)

Reveton FR (12-2012)

Reveton GR (12-2012)

Reveton HU (12-2012)

Reveton IE (12-2012)

Reveton IT (12-2012)

Reveton LU (12-2012)

Reveton LV (12-2012)

Reveton NL (12-2012)

Reveton NO (12-2012)

Reveton SE (12-2012)

Reveton SI (12-2012)

Reveton TR (12-2012)

Reveton US (12-2012)

After Paysafe card payment
(You SHOULD NOT see cause you must not pay!)
Note count down which drop from 48h to 2h

After valid Ukash number insertion
(You SHOULD NOT see cause you must not pay!)

Call to mother

As usual have trouble gathering PT and BE landing pages...seems I now also have problem with PL and SK.
For DK and LT seems Default (UK) is being pushed.

Sample : 5bd641a67baaa09af76c74e25b7b43bb

More about Reveton ?
See Reveton page on https://www.botnets.fr/index.php/Reveton
Kernel Mode Thread

Reveton can speak now ! - 2012-11-23
Reveton += HU, LV, SK, SI, TR (!), RO - So spreading accross Europe with 6 new Design 2012-10-29
Reveton Autumn Collection += AU,CZ, IE, NO & 17 new design - 2012-10-12
Inside a ‘Reveton’ Ransomware Operation 2012-08-13

Don’t Pay Up – How To Beat Ransomware! - 2013-04-05 - MakeUsOf - Guy McDowell