Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

FBI Moneypak

From Malware Wiki
Jump to: navigation, search
FBI Moneypak
FBI-MoneyPak-malware.jpg
TypeRansomware, Trojan
Date2012
OriginUnited Kingdom
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
Alias(es)Trojan/Win32.Reveton (Microsoft Windows)

Win32:LockScreen (Avast!)

Trojan-Ransom.Win32.Urausy (Kaspersky)

Trojan.Winlock (Panda)

Win/DHADVQFVFBIA (AVG)

Trojan:W32/Revton (F-Secure)
This box: view  talk  edit
File:FBI-Moneypak-Virus.png
A version of the lock screen.

FBI Moneypak is a ransomware on Microsoft Windows much like Cryptolocker. It is part of the Reveton family.

Moneypak is very similar to a credit card. However, it has a pre-loaded amount of money that the user can use to buy things and purchase online.

Despite claiming to be from the FBI, it is in fact a scam and not run by the FBI.

In 2012, the FBI published advice relating to the FBI MoneyPak virus.

Payload

Transmission

FBI Moneypak is typically installed onto a computer when the user visits a hacked web site that contains malicious scripts that exploit vulnerabilities on the computer to install the FBI Ransomware without their knowledge or permission.

Infection

Once installed, the FBI Ransomware will be configured to start automatically when you login to Windows. If FBI Moneypak infiltrates the user's computer, it denies their access instantly. Suffering from a locked PC denotes that the trojan has already altered the user's registry. This ransomware also drops harmful files onto the user's hard drive.

Once started, it displays a large alert that pretends to be from the FBI and states that the user's computer has been blocked due to it being involved with the distribution of pornographic material, SPAM, or copyrighted content. In order to access their Windows desktop and their applications they must first pay a fine of $100 in the form of a MoneyPak.

Once the malware developers receive the ransom they will then unlock your computer within 1 to 48 hours. To make the alert seem more authentic, the malware also has the ability to access your installed webcam so that the alert shows what is happening in the room.

The text of this ransom note is:

The FBI
Federal Bureau of Investigation


ATTENTION!
IP: xxx.xxx.xxx
Location: Your Country Here
IPS: Your ISP Here


Your PC is blocked due to at least one of the reasons specified below.


You have been violation Copyright and Related Rights Law (Video, Music, Software) and illegally 
using or distributing copyrighted content, thus infringing Article I, Section 8, Clause 8, also known as 
the Copyright of the Criminal Code of United States of America.


Article I, Section 8, Clause 8 of the Criminal Code provides for a fine of two to five hundred minimal 
wages or a deprivation of liberty for two to eight years.


You have been viewing or distributing prohibited Pornographic content (Child Porno, Zoofilia and 
etc). Thus violating article 202 of the Criminal Code of United States of America. Article 202 of the 
Criminal Code provides for a deprivation of liberty for four to twelve years.


Illegal access has been initiated from your PC without your knowledge or consent, your PC may be 
infected by malware, thus you are violating the law of Neglectful Use of Personal Computer. Article 
210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for four 
to nine years.


Pursuant to the amendment to the Criminal Code of United States of America of May 28, 2011, this 
law infringement (if it is not repeated - first time) may be considered as conditional in case you pay 
the fine to the State.


Fines may be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility 
to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 
hours!


To unblock the computer, you must pay the fine through MoneyPak of 100$.

Variants

FBI Green Dot Moneypak

FBI Green Dot Moneypak locks the whole system down and displays a fake alert with FBI, Moneypak, and McAfee logos. A misleading message, which belongs to this threat, claims that the Federal Bureau of Investigation has blocked you for downloading illegal/copyrighted material and similar crimes. It requires to pay $200 fine and includes the steps explaining how the user should do that.

FBI Black Screen

FBI Black Screen or FBI Virus Black Screen uses the same technique as its predecessors and seeks to make users pay a $200 fine. It also applies an audio warning, black screen, and locks down the whole system. Additionally, it claims that the user have been caught for law violations and will accuse you of visiting pornographic websites, viewing files containing zoophilia, child pornography and similar.

FBI Online Agent

FBI Online Agent is a ransomware which is also using the name of the Federal Bureau of Investigation, but it has a newly-designed alert, which tends to accuse the victim of committing various crimes and asks to pay $200 using MoneyPak. The new thing about FBI Online Agent is that it doesn't show the user's IP address or location but gives the name of the responsible agent, case number and other details that are clearly invented. Besides, scammers have included the promotion of terrorism into the list of the crimes that are reported into this misleading warning.

FBI Cybercrime Division

FBI Cybercrime Division is a dangerous ransomware, which pretends to belong to the FBI's Cybercrime Division. This virus uses identical scheme while trying to steal users' money. However, this time it asks to pay $300 using Moneypak prepayment system. Be sure that its alert is not legitimte and can be safely ignored. The new version applies a newly designed alert, which is filled with more than ten different logos.

FBI PayPal

FBI PayPal is a variant that blocks the entire desktop and disables Internet connection on its target PC. It asks paying the fine of $100 for invented online crimes, such as the use of copyrighted content or distribution of malware. Differently from earlier parasites, that use identical scheme for stealing the money, the FBI PayPal virus uses PayPal for its money transactions. Please, stay away from this threat.

FBI Department of Defense

FBI Department of Defense is a variant which seeks to swindle $300 by convincing its victims that they have violated several laws of the USA. This virus has the same ability to lock down the PC and hide every file, which is kept on the computer.

The new thing about this version of FBI virus, is that it offers using MoneyGram prepayment system for paying the fine.

White Screen

White Screen or White Screen FBI is a cyber infection, which is categorized as ransomware and belongs to the same group of FBI virus. If the user sees a white screen and a mouse cursor on their computer's desktop, that means this virus failed to load properly.

However, the user may also receive a huge warning from the FBI, which reports about the illegal use of videos related to child pornography or other e-crimes.

FBI Computer Crime and Intellectual Property Section

FBI Computer Crme Intellectual Property Section is a variant that occupies the entire computer as soon as it infects it. Instead of the desktop, it shows a huge alert stating that 'computer is locked by Internet Service Provider' for several different reasons.

Just like previous versions, it claims that the computer's owner was noticed watching and spreading copyrighted content and doing other activities that clearly violate some laws of the USA. This FBI virus version asks to pay a fine of $200.

FBI System Failure

FBI System Failure is a variant that blocks computers with its fake warning saying: 'All Activities of this computer has been recorded. All your files are encrypted. Don’t try to unlock your computer!'. Just like previous its versions, this virus seeks to make its victims pay an invented fine.

This version is used to swindle $300, for that it asks using REloadit prepayment system.

Fake Pornhub App

Fake Pornhub App is a variant that was discovered by Michael Gillespie. The screen-locking virus disguised itself as a fake Pornhub app, and as a consequence, people looking for erotic visual content were tricked into installing malware instead of the popular adult-content app. Once installed, this version of Android ransomware quickly locks the device, preventing the user from using it.

Considering that the victim just installed an app for adults, the message displayed on the screen might appear more scary and realistic than it actually is. The message states that "Federal Bureau of Investigation, Department of Justice" scanned the device and detected suspicious files as well as attempts to enter forbidden websites. As a consequence, the user has to pay $500 fine within three days.