Reveton was one of the most famous ScreenLockers, seen in August 2012, and it infected en mass. Reveton was known to be spread by the Blackhole Exploit kit (mentioned in Chapter 3, Ransomware Distribution). The Blackhole Exploit kit, after successful exploitation of the victim machine, downloads Citadel malware. The Citadel malware then downloads the Reveton ransomware. Citadel was malware that is a close associate of Zeus malware. Citadel stealer (we have talked about password stealers in Chapter 1, Malware from Fun to Profit) is known to steal credentials stored in password managers such as password safe and KeepPass.

Reveton is also a police ransomware. It locks the screens and shows the victim a warning from the local police. It checks the country and accordingly displays the message over the locked screen. The ransom message usually accuses the victim of visiting adult sites:

Reveton used to ask a ransom of $300 in MoneyPak.

Initial versions of Reveton were exe files and later were dll. Most Reveton files were compiled in the Delphi programming language. Initial versions of Reveton were meant for Windows but later on, Android mobiles were also a target.

In 2013, suspected cyber criminals alleged to be associated with Reveton were arrested in Spain: https://nakedsecurity.sophos.com/2013/02/14/reveton-ransomware-gang-arrested-by-spanish-police/.