Reveton is a ransomware family, widely known as FBI MoneyPak ransomware, that combines locker ransomware and scareware behavior. It locks victims out of their systems and displays fake law-enforcement warnings claiming the device was used for illegal activity such as child pornography, copyright infringement, terrorism, gambling, or other offenses. The lock screen commonly impersonates agencies such as the FBI, Department of Justice, or local police, may display the victim’s IP address, and some variants can activate or display an image from the victim’s webcam to increase credibility. Reveton demanded payment as a supposed “fine” to restore access, with reported payment methods including GreenDot MoneyPak prepaid cards and Paysafecard, and reported ransom amounts ranging from about $100 to $1,000, including commonly cited demands of $200.
The malware was delivered through compromised websites, drive-by infections, malvertising, and exploit kits. Multiple sources in the content state that victims could be infected after visiting compromised sites, including campaigns using the Angler exploit kit and exploitation of browser vulnerabilities such as Adobe Flash CVE-2015-0311. Reveton was also described as being delivered by Citadel malware. The content notes large malvertising campaigns that delivered either Reveton or Bedep.
Reveton is repeatedly described as an early and significant ransomware family and is identified in the content as the first reported ransomware-as-a-service offering, enabling less technically skilled criminals to rent or purchase access. It is associated in the content with the “FBI MoneyPak” branding and with criminal operators tied to malvertising and exploit-kit ecosystems. The content references overlap between Reveton distributors and the DNSChanger/Nelicash ecosystem, links to the Reveton team in historical discussions around Angler exploit kit usage, and notes law-enforcement action against individuals involved in creating or distributing Reveton, including UK NCA-led arrests and U.S. prosecutions tied to laundering ransom proceeds.
Targeting was broad and included home users, with campaigns observed in the United States and internationally. The content specifically mentions fake warnings purporting to come from the FBI, Department of Justice, and local police agencies. Known behavioral indicators from the content include immediate system lockout, fake police or FBI splash screens, accusations of illegal online activity, demands for prepaid-card payment, browser-locking via iframe loops in some variants, persistence on the infected device requiring malware removal, and in some cases webcam activation or display. Reveton also appears in historical reporting as a predecessor or point of comparison for later Delphi-based malware such as CryptXXX and DanaBot.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2015-0311 (Flash up to 16.0.0.287) integrating Exploit Kits Patched with Flash 16.0.0.296 ... first seen exploited by Angler EK ... soon after used in standalone mode in huge malvert campaign ... integrated today in RIG ... Fiesta ... Nuclear Pack ... Sweet Orange ... Neutrino ... Magnitude | ...in huge malvert campaign (pushing either Reveton, either Bedep...)
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These sites ran a version of the Angler exploit kit, which exploited vulnerabilities in visitors' browsers to infect them with malware, and more specifically with Reveton, a ransomware strain that locked users' access to their PCs with messages perpetrating to have come from various law enforcement agencies, such as the FBI.
You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from : Paunch's arrest...The end of an Era !
10 distinct techniques documented for this family, organized by ATT&CK tactic.
The FBI ransomware starts often by being downloaded accidentally or visiting a corrupt website and running an application with a modified JavaScript code.
CVE-2015-0311 has been first seen exploited by Angler EK ... soon after used in "standalone" mode in huge malvert campaign ... CVE-2015-0311 has been integrated today in RIG ... Fiesta successfully exploit Windows XP IE8 Flash 16.0.0.257 using CVE-2015-0311 ... Nuclear Pack successfully exploit ... using CVE-2015-0311 ... Sweet Orange firing exploit for CVE-2015-0311 ... Neutrino firing his bundle of Sploit ... Magnitude - CVE-2015-0311 exploited successfully
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as earlier malware sharing technical similarities with DanaBot.
Locker-style ransomware and early RaaS that displayed fake law-enforcement warnings and demanded payment, including in bitcoin.
Ransomware family known for locking victims' computers and demanding payment, often using law enforcement-themed scare tactics.
Ransomware that locked victims out of their PCs using fake law-enforcement warnings and demanded payment via GreenDot MoneyPak vouchers.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.