Citadel Reveton Ransomware along with Citadel platform is “policing” the world computers and asking $100 or $200 fees to unlock your computer. Citadel Reveton Ransomware variants (also classified as Police Trojan) are locking the victims out of their computers, displaying a lock-screen warning message from a law enforcement agency that the users have being involved in criminal activity and will demand fees to unlock the computer. It threats to prosecute the victim if they couldn’t make the required payment via the prepaid money card services like MoneyPak, Ukash or Paysafecard. FBI Moneypak virus locked screen virus, FBI Moneypak virus, FBI Anti-Piracy MoneyPak virusCanadian Police Association Ukash/Paysafecard virus, Police Cybercrime Investigation Department Ukash/Paysafecard virus, Cheshire Police Virus, International Cyber Security Protection Alliance virus and Australian Federal Police Ukash virus are one of the most prevalent variants among Citadel Reveton Ransomware family members.

Citadel Reveton Ransomware variants leverage various elements of scareware to coax the victims into paying the required fines within 48 hours. The fabricated official notices from various national police or investigatory agencies are made purposely with unethical social engineering techniques in mind, and the scam page and payment services are localized by the geographic location of the user’s IP address. Citadel Reveton Ransomware variants also show footage from a victim’s webcam if available to deliver the impression the victim is being recorded by the national police or investigatory agencies; it shows your specific IPs and uses bogus message stating the victim has been identified by the law enforcements, like he FBI or the Department of Justice’s Computer Crime and Intellectual Property Section, and has violated illegal online activities.

What is Citadel Reveton Ransomware

Citadel Reveton Ransomware is a “drive-by-download” malicious program that is distributed and deployed along with or by Citadel, which originates from the infamous Zeus banking Trojan. Cybercrooks obtained the source codes and banked a fortune by releasing Zeus variants, one of which is Citadel. And later on, they added Reveton to Citadel with more “country-branded” variants released to target each of the major countries around the world, like United States, Britain, Austria, Canada and Germany. With the open source nature and localization pack available, the Citadel Reveton Ransomware variants are extorting the victims worldwide into paying the ransom by fraudulently displaying supposed official notices from the victim’s national police or investigatory agencies.

The latest Citadel Reveton Ransomware leverages the real information (victim IP address) or even utilize the webcam function to show the victim’s footage on the warning message, providing social and authoritative illusions in order to deceive the victims, which is localized to the victim’s national police service. The victim is threaten with criminal proceedings and requires to pay fees within 48 hours to avoid prosecution for watching child pornography and violating unspecified copyright offenses. If the victims failed to pay a $100 or $200 extorted “fine” to the hackers within 48 hours, they will be punished by the law enforcements according to the laws the hackers purportedly state. The Citadel Reveton Ransomware scheme has been very prevalent and proven to be effectively bank profits for the hackers. It targets users from most of the major countries and rips off quite a large number of victims with the new “drive-by-download” infection. Once the victim is infected with Citadel Reveton Ransomware (e.g. the infamous FBI “Your computer has been locked” virus, FBI virus is a police ransomware virus scamFBI Anti-Piracy MoneyPak virusInternet Security 2014 virus, PC blocked by United States Courts virus and System Doctor 2014 virus), the victim’s PC is locked and blocked from doing anything else unless he agrees to pay the $100 or $200 fines to the authorities. In the worse scenario, not only the PC may be rendered completely unable with data destroyed or compromised, the victim’s computer will be stayed unlock even though he has paid the fees Citadel Reveton Ransomware variant demands.

Friendly reminder: do not pay the requested fees or provide any personal information in any way. Be aware that even if you are able to unfreeze your PC by yourself or use the guides we provide above, the malware may still exit and run in the background as it is continuously evolving with new variants, stealing your personal information and stealthily installing other malicious codes if needed. Live Chat with YooSecurity professionals to remove all Reveton Ransomware variants from your computer.

How Citadel Reveton Ransomware Works

Citadel Reveton Ransomware is not a typical virus commonly activated when a user open a file or Email attachment. It is a new “drive-by-download” virus that install itself when users visits compromised websites or the hackers use BlackHole exploit kits to deploy it into the victim’s PC. Once Citadel Reveton Ransomware locks the victim’s computer and demands fees via Moneypak, Ukash or Paysafecard prepaid payment services. All the requests on the scam page are sent via an encrypted (https://) connection to avoid detections from other software. YooSecurity Labs has received some of the supported requests that the latest FBI MoneyPak virus has even encrypted files on the computers and made the computer render useless without professional helps. We have named these Citadel Reveton Ransomware variants along  with the payment services, like Ukash virus, Ukash/Paysafecard virus and MoneyPak virus.

What are Citadel Reveton Ransomware Variants (sorted by popularity)

YooSecurity Labs has been following these Reveton Ransomware variants from the earlier releases. And we will be updating this list and document all the reported variants once there is a new variant reported by YooSecurity and YooCare subscribed users.  Based on our researches, Citadel Reveton Ransomware variants took their first shots on the European continent with Ukash payment method only. The most reputable ones are West Yorkshire Police Ukash VirusMetropolitan Police Ukash virus (PCEU), Interpol Department of Cybercrime Ukash/Paysafecard virus, which are used to pretend the police authorities in UK and coax the victims into paying via Ukash or Paysafecard. And then Citadel Reveton Ransomware variants launched a massive attacks on North American with the infamous FBI MoneyPak virus, FBI Paysafecard/Ukash virus, Canadian Police Association Ukash/Paysafecard virus. It also attacks Australia with a fake Australian Federal Police warning known as AFP Ukash virus, asking for 100 AUD to unlock the victim’s PC.

Citadel Reveton Ransomware FBI MoneyPak Virus

YooSecurity Labs had received support requests on the first FBI MoneyPak virus/FBI virus on June 3rd, 2012. The first version of FBI MoneyPak virus is easy to be removed with some knowledge on how to edit Windows Registry and enter the safe mode. However, the following variants are becoming complicated and even encrypting files on users’ computers. Since then, the FBI MoneyPak Ransomware has begun targeting Norton America on a larger scale. They even use Kaspersky Lab, McAfee and Dr.WEB badges to increase the trusts of the scam page.

FBI MoneyPak Virus Asks for a Release Fee of $200 October 2012 Variant Screenshot

FBI Anti-Piracy MoneyPak Virus Asks for a Release Fee of 200$ October 28, 2012 Variant Screenshot

FBI MoneyPak Virus Warning Message

All activity of this computer has been recorded.
If you use a webcam, videos and pictures were saved for identification.

You can be clearly identified by resolving your IP address and the associated hostname
Your IP Address: victim’s PC IP address
Your Hostname: victim’s PC hostname
Location: victim’s city location

Your Computer has been locked!
The work of your computer has been suspended on the grounds of unauthorized cyberactivity.

Described below are possible violations, you have made:
Article 274 – Copyright
A fine or imprisonment for the term of up to 4 years (The use or sharing of copyrighted files – movies, software)
Article 183 – Pornography
A fine or imprisonment for the term of up to 2 years (The use or distribution of pornographic files)
Article 184 – Pornography involving children (Under 18 years)
Imprisonment for the term of up to 15 years (The use or distribution of pornographic files)
Article 104 – Promoting Terrorism
Imprisonment for the term of up to 25 years (You have visited websites of terrorist organizations)
Article 297 – Neglect computer use, entailing serious consequences
A fine or imprisonment for the term of up to 2 years (Your computer has been infected with a virus, which, in turn, infected other computers)
Article 108 – Gambling
A fine or imprisonment for the term of up to 2 years (You have been gambling, but according to the law residents of the your country are not allowed gambling in any format)
In connection with the decision of the Government as of August 22, all of the violations describled above could be considered as conditional in case of payment of a fine.
Amount of the fine is $200. Payment must be made within 48 hours after the discovery of the violation. If the fine has not been paid, you will become the subject of criminal prosecution.

After paying the fine your computer will be unlocked.

All activity of this computer has been recorded. If you use a webcam videos and pictures were saved for identification. You can be clearly identified by resolving your IP address and the associated host name. Illegally downloaded material (MP3’s, Movies or Software) has been located on your computer. By downloading those were reproduced, thereby involving a criminal offense under Section 100 of the Copyright Act. The downloading of copyrighted material via the Internet or music sharing networks is illegal and is in accordance with Section 100 of the Copyright Act subject to a fine or imprisonment for a penalty of up to 3 years.

Furthermore, possession of illegally downloaded material is punishable under Section 184 paragraph 3 of the Criminal Code and may also leed to the confiscation of the computer, with which the files were downloaded.

To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $200.
Exchange your cash for a MoneyPak voucher and use your voucher code in form below.

Pay with Moneypak:
Load Cash on MoneyPak

Enter 200$ Moneypak code:

MoneyPak is available at these stores nationwide.
Walmart CVS/pharmacy…

Please not: This fine may only be paid within 48 hours, if you let 48 hours pass without payment, the possibility of unlocking your computer expires. In this case a criminal case against you will be initiated automatically.

FRAUD ALERT: Use yor MoneyPak number only with businesses listed at MoneyPak and United States Federal Bureau of Investigation. If anyone else asks for your MoneyPak number? it’s probably a scam. If a criminal gets your money. Green Dot is not responsible to pay you back.

FBI Warning for FBI ANTI-PIRACY Fake Notice (updated as October 28, 2012)

Your Computer has been locked!
All activity of this computer has been recorded. If you use webcam, videos and pictures were saved for identification. You can be clearly identified by resolving your IP address and the associated hostname.

Ulock computer:
To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of 200$. Payable through GreenDot MoneyPack. After successful payment, your computer will automatically unlock.

Illegally downloaded material (audio, videos or software) has been located on your computer

By downloading, those were reproduced, thereby involving a criminal offence under Section 106 of Copyright Act.

The downloading of copyrighted material via the Internet or music sharing networks is illegal and is in accordance with Section 106 of the Copyright Act subject to a fine or imprisonment for a penalty of up to 3 years.

Furthermore, possession of illegally downloaded material is punishable under Section 184 paragraph 3 of the Criminal Code and may also lead to the confiscation of the computer, with wich the files were downloaded.

To perform the payment, enter the acquired GreenDot MoneyPack code in the designated payment field and press the OK button.

McAfee This site is secure seal

FBI ANTI-PIRACY WARNING

1. Take your cash to one of these retail locations: Walmart
2. Pick up a MoneyPak and purchase it with cash at the register.
3. Come back and enter your MoneyPak code to unlock your Computer.

Please note: This fine may only be paid within 72 hours. If you let 72 hours pass without payment, the possibility of unlocking your computer expires.
In this case a criminal case against you will be initiated automatically.

Citadel Reveton Ransomware FBI International Police Association MoneyPak, Ukash/Paysafecard Virus

YooSecurity Labs has received support requests on this new FBI variant with the name of Federal Bureau of Investigation and International Police Association authorities, claiming 100 EURO or 200$ USD for violating child pornography laws via green dot MoneyPak, and even with prepaid services Ukash or Paysafecard available. We have called it as Citadel Reveton Ransomware FBI Police Association MoneyPak, Ukash/Paysafecard Virus.

Federal Bureau of Investigation and International Police Association MoneyPak Virus Asks for 200$ Fines to Unlock October, 2012 Variant Screenshot

Federal Bureau of Investigation and International Police Association 100 EURO Ukash or Paysafecard Voucher Virus October 5, 2012 Variant Screenshot

Federal Bureau of Investigation and International Police Association 100 EURO Ukash or Paysafecard Voucher Virus Warning Message

Federal Bureau of Investigation
International Police Association

ATTENTIONS! Your computer has been Locked!
Your IP Address: victim’s PC IP address
Your Hostname: victim’s PC hostname

Your PC is blocked due to at least one of the reasons specified below.
Your computer was trying to access a child pornography directory and has been blocked. Everyday we are working on blocking such sites and distribution of this awful materials, and it costs a lot to maintain our operations. You are required to pay administrative fees. Watching, downloading and possessing such horrific materials is highly punishable and will leave a long lasting effect on your friends and relatives. If we don’t receive a payment within 48 hours your information will be sent to you local authorities. You will be charged and convicted for up to 5 years in prison time and register as a sex offender for the rest of your life.
To help you make your payment faster and totally anonymous to you, we decided to accept vouchers that are spread nationwide and can be purchased in all major stores.
Legislation s. 163.1 (3) Every person who transmits, makes available, distributes, sells, advertises, imports, exports or possesses for the purpose of transmission, making available, distribution, sale, advertising or exportation any child pornography is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years and to a minimum punishment of imprisonment for a term of five years.

Pay with Ukash or Paysafecard
Enter 100 EURO Ukash or Paysafecard voucher

Federal Bureau of Investigation and International Police Association Green Dot MoneyPak 200$ USD Virus Warning Message

The warning message is nearly the same with the 100 EURO scam documented above. The wordings are slightly different as it uses green dot Moneypak as the payment method.

Pay with Moneypak:
Load Cash on MoneyPak

Enter 200$ Moneypak code:

MoneyPak is available at these stores nationwide.
Walmart, CVS/pharmacy…

YooSecurity How-to Video: Remove FBI MoneyPak/Ukash/Paysafecard Virus as well as  Federal Bureau of Investigation and International Police Association Virus

Citadel Reveton Ransomware United States Cyber Security (U.S. Cyber Security) MoneyPak virus

United States Cyber Security (U.S. Cyber Security) MoneyPak virus is a variant of Citadel Reveton Ransomware, detected and removed by YooSecurity Labs as of August 1st, 2012. It bears almost the same characteristics with the notorious FBI MoneyPak viruses by asking $100/$200 fees to unlock the locked computer with only minor differences on the scam statement.

United States Cyber Security (U.S. Cyber Security) MoneyPak Virus August 2012 Screenshot

United States Cyber Security (U.S. Cyber Security) Green Dot MoneyPak $100 USD Virus Warning Message

UNITED STATES CYBER SECURITY
ATTENTION!
IP:
Location: United States City Name
IPS: Service Provider
Your PC is blocked due to at least one of the reasons specified below.

For the detailed scam statement, please refer this YooSecurity malware removal guide How to Remove Citadel Reveton Ransomware United States Cyber Security (U.S. Cyber Security) MoneyPak virus

YooSecurity How-to Video: Remove United States Cyber Security (U.S. Cyber Security) Green Dot MoneyPak $100 USD Virus

Citadel Reveton Ransomware Canadian Police Association Ukash/Paysafecard virus

Canadian Police Association Ukash/Paysafecard virus is the latest variant Citadel Reveton Ransomware targeting computer users in Canadian locations. The scary elements it uses to coax the victims into paying are the nearly the same as the FBI MoneyPak virus with some scam statement and currency changes.

Canadian Police Association Ukash/Paysafecard Virus Asks a Release Fee of 100 CAD October 2012 Screenshot
Canadian Police Association

Canadian Police Association Ukash/Paysafecard Virus Asks a Release Fee of 100 CAD Warning Message

Canadia Police Association
Association canadienne de policiers

ALL ACTIVITY OF THIS COMPUTER
HAS BEEN RECORDED

Your computer is locked!
Your computer has locked.

This could be due to one of the following reasons:
1. Your computer has been used to view banned Web sites
2. Your computer has been used to view Web sites containing child pornography.
3. Your computer has been used to illegal information, software.
4. Your computer has been used for storing / viewing pirated content.

What should I do? According to “Information Security and Control Act 2012”, you are required to pay a fine of 100 Canadian dollars. For the convenience of paying the fine we provide a payment gateway for Ukash or PaySafeCard vouchers. You need to buy voucher for sum of 100 Canadian dollars and enter the 19 or 16 digit code written on the voucher the secure payment form, then press “OK” button to send the code.

What will happen after I submit the code?
Once voucher is verified by our system your computer will be unlocked after 14 hours.

Where can I buy PaySafeCard?
PaySafeCard is available from sales outlets from gas station and newsagents,in the Canada, exclusively from all Exlpln outlets.

Where can I buy Ukash?
You could pay Ukash in may places, for example: shops, talls, terminals, online or through E-Wallet (electronic cash). Below you could find the list of point of sale Ukash in your country.

YooSecurity How-to Video: Remove Canadian Police Association Ukash/Paysafecard Virus

Citadel Reveton Ransomware Police Cybercrime Investigation Department Ukash/Paysafecard virus

Police Cybercrime Investigation Department Ukash and Paysafecard virus was firstly reported by YooSecurity Labs on August 18, 2012 with Ukash payment option available only. On October 3rd, 2012, it has used a new template with both Ukash and Paysafecard payment services available.

Police Cybercrime Investigation Department Ukash/Paysafecard Virus Asks a Release Fee of 100 CAD August 2012 Screenshot
Cybercrime Investigation Department Virus First Version
Police Cybercrime Investigation Department Ukash/Paysafecard Virus Asks a Release Fee of 100 CAD October 2012 Screenshot

Police Cybercrime Investigation Department Ukash/Paysafecard Virus Asks a Release Fee of 100 CAD Warning Message

The two versions of Police Cybercrime Investigation Department Ukash/Paysafecard virus are refresh redesign with fine-tuning on some scary elements and with more payment option in the latest version.

Police Cybercrime Investigation Department

Your IP Adress: victim’s PC IP address
Your Hostanme: victim’s PC host names
Location: specific city location

To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of 100 CAD.

Where can I buy Ukash?
You can get Ukash from hundreds of thousands of global locations, online, from wallets, from kiosks and ATMs.
Exchange your cash for a Ukash voucher and use your voucher code in form below.

Where can I buy Paysafecard
You can get paysafecard at Ezipin, from gas stations and newsagents throughout Canada.
Exchange your cash for a Paysafecard voucher and use your voucher code in form below.

Please note: This fine may only be paid within 48 hours, if you let 48 hours pass without payment, the possibility of unlocking your computer expires.

In this case a criminal case against you will be initiated automatically.

The statement of the October 2012 version are nearly the same as the FBI Moneypak virus warning message we have documented above. You can refer to YooSecurity’s How to Remove Citadel Reveton Ransomware Police Cybercrime Investigation Department Ukash/Paysafecard virus guide for more details. For the Augest 2012 statement, please refer to this YooSecurity malware removal guide on How to Remove Canadian Police Association Ukash/Paysafecard virus for the detailed statement and other information.

YooSecurity How-to Video: Remove Police Cybercrime Investigation Department 100 CAD Ukash/Paysafecard Virus

Citadel Reveton Ransomware Police Australian Federal Police (AFP) Ukash virus

Australian Federal Police Ukash (AFP) Ukash virus also has two versions like the Police Cybercrime Investigation Department virus. The previous one was detected on September 12, 2012 while the later one was October 8, 2012. The later one is just released from the same template of Citadel Reveton Ransomware of October, 2012. The payment service is limited to Ukash only. The technicians in YooSecurity Labs are called it as Australian Federal Police Ukash (AFP) Ukash virus.

Australian Federal Police Ukash (AFP) Ukash Virus Asks a Release Fee of 100 AUD September 2012 Screenshot
Australian Federal Police Ukash Virus (AFP) First Version

Australian Federal Police Ukash (AFP) Ukash Virus Asks a Release Fee of 100 AUD October 2012 Screenshot
Australian Federal Police Ukash Virus (AFP) October

Australian Federal Police Ukash (AFP) Ukash Virus Asks a Release Fee of 100 AUD Warning Message

AFP
Australian Federal Police

To unlock your computer and avoid other legal consequences, you are obligated to pay a release of 100 AUD.

YooSecurity Labs has documented the exact statements of Australian Federal Police Ukash (AFP) Ukash Virus in both version. You can visit the link here to for more information of Australian Federal Police Ukash (AFP) Ukash Virus and learn how to remove Australian Federal Police Ukash (AFP) Ukash Virus, and do consult YooSecurity professionals if you have any help needed.

YooSecurity How-to Video: Remove Australian Federal Police Ukash (AFP) Ukash Virus

Citadel Reveton Ransomware Britain Interpol Department of Cybercrime Ukash/Paysafecard virus

Interpol Department of Cybercrime Ukash/Paysafecard virus was first found on August, 2012, targeting computer users located in the Britain geolocation. It locks the victims out of their computers and demands paying the required £100 fine to unlock your computer via Paypal, Ukash or Paysafecard. The scam page makes itself look a real police warning from Interpol Department of Cybercrime by using social and scary elements for extorting like police badges, legal terms & statements, famous brands, code bar and security seals of Norton and McAfee Secure. The hacker leaves the email [email protected] for inquires to improve their ROIs.

Interpol Department of Cybercrime Ukash/Paysafecard Virus Demand £100 Fines to be Unlocked August, 2012 Screenshot
Interpol Department of Cybercrime Ukash/Paysafecard Virus Screenshot

Interpol Department of Cybercrime Ukash Virus

Interpol Department of Cybercrime Ukash/Paysafecard Virus Demand £100 Fines to be Unlocked August, 2012 Warning Message

INTERPOL
DEPARTMENT OF CYBERCRIME

ATTENTION!

YOUR PC IS BLOCKED DUE TO AT LEAST ONE OF THE REASONS SPECIFIED BELOW!

You can review all the details of this Interpol Department of Cybercrime message on YooSecurity Interpol Department of Cybercrime virus removal page.

YooSecurity How-to Video: Remove Interpol Department of Cybercrime Ukash/Paysafecard Virus

Citadel Reveton Ransomware Britain Metropolitan Police (PCEU) and Specialist Crime Directorate Ukash/Paysafecard virus

Citadel Reveton Ransomware Britain Metropolitan Police (PCEU) & Specialist Crime Directorate Ukash/Paysafecard virus is another Britain Ukash virus extorting £100 fine to unlock the infected computers. Citadel Reveton Ransomware Britain Metropolitan Police (PCEU) Ukash/Paysafecard virus is becoming more like the latest Citadel Reveton Ransomware variants. It is targeting users based on the geolocations of the users’ IP addresses, making it more genuine, and Metropolitan Police (PCEU) virus is using more powerful legal terms and more information (like where to get Ukash) to improve their scam conversion rates. The later version on October, 2012 of Britain Metropolitan Police (PCEU) Ukash virus added Paysafecard payment service as their payment method, and webcam to give the illusion the victim has been recorded. Click here to learn more about the warning elements and how to remove Britain Metropolitan Police (PCEU) Ukash virus with YooSecurity professionals.

Britain Metropolitan Police (PCEU) Ukash Virus Extorts £100 Fines August, 2012 Screenshot

Britain Metropolitan Police (PCEU) and Specialist Crime Directorate Ukash Virus Extorts £100 Fines September, 2012 Screenshot

Britain Metropolitan Police (PCEU) Ukash Virus Extorts £100 Fines October, 2012 Screenshot

YooSecurity How-to Video: Remove Britain Metropolitan Police (PCEU) Ukash Virus

Citadel Reveton Ransomware Britain West Yorkshire Police Ukash/Paysafecard Virus

Britain West Yorkshire Police Ukash Virus was found on April, 2012. It was very simple ransomware and easy to be removed back then. It may lack some of the locking codes of the latest Citadel Reveton Ransomware while it is using Ukash and Paysafecard payment services to extort for £100 fines to unlock the blocked computers.

Britain West Yorkshire Police Ukash/Paysafecard Virus Coaxes Users into Paying £100 Fines April, 2012 Screenshot

Britain West Yorkshire Police Ukash/Paysafecard Virus Coaxes Users into Paying £100 Fines April, 2012 Fake Police Warning

WEST YORKSHIRE
POLICE

Your computer is locked!

Please wait a code introduced by your release will be controlled.

If you entered a code right – your computer will be released for 1-4 hours. In some cases a delay of the release can be increased up to days (24 hours). If you enter a incorrect code, then prevention will reappear on the screen. After you input a code incorrectly for 3 times, then the police will confiscate your computer and cause the criminal case against you.

Other Citadel Reveton Ransomware Variants

YooSecurity Labs will list other Citadel Reveton Ransomware variants below to keep our users informed up to date. For quick reference purposes only, we won’t provide detailed removal instructions and descriptions for these Citadel Reveton Ransomware below. As of October 20, 2012, the following Citadel Reveton Ransomware variants are targeting European countries by demanding 100 Euro to unlock the victim’s computer.

Note: If you are having problems to remove any Reveton Ransomware variants from your computer, please contact YooSecurity professionals to keep your computer safe and virus free.

Published by YooSecurity CTO & last updated on May 31, 2013 4:29 am

Leave a Reply