Security Advisor

Popular Ransomware Adds Ability To Steal Victims' Passwords

The infamous Trojan that's rolled up into widely used exploit kits is getting a new trick.

Microsoft is warning that the Reveton Trojan, a nasty ransomware that locks users out of their computer until they pay the hackers to remove it, now has added the ability to scan and snag all your passwords.

According to Microsoft, this new trick was added so that even if an antivirus does its job and removes the Trojan without you falling to the extortion racket, the attackers' time and effort weren't wasted -- they at least have your passwords (and one that could be used to drain funds from you in a different way).

"Once an exploit kit installs Reveton on a system, the ransomware will start contacting its command and control (C&C) server," wrote Microsoft's Stefan Sellmer in a TechNet blog post.  It downloads information about the system's external IP address, for example the Internet provider, city, and country.

While the Trojan goes to work shipping off your information, it's simultaneously installing and running the DLL that locks your screen until payment is received. And it's also running the password-stealing component that is hidden in memory.

The password grabber goes to work in the background, stealing personal information from file downloader lists, e-mail clients, chat logs, remote applications and even accesses where saved browser passwords are in protected storage.

Even from behind bars, the original creator's Trojan is finding new ways to terrorize infected victims thanks to additions like this and the fact that it's rolled up into popular exploit kits like Blacole and Cool Exploit Kit.

Microsoft points out that earlier this year, once a popular Java exploit was dropped into the kits that also included Reveton, more than 100,000 systems were being infected daily. Since then, the infection rate has dropped, but it's still able to snare thousands of new victims on a daily basis.

To avoid infection, Microsoft prescribes the usual dosage of smart Internet browsing and software updating.

"Our advice is, before you become a victim of the Reveton infection, spend a few minutes to eliminate possible infection vectors by updating software components which are targeted by drive-by-downloads," said Sellmer. "You should install all the relevant Microsoft security updates and update browser plug-ins like Java and Flash Player."

And if you feel like you've been infected, the first point of action (before even trying to remove the Trojan) is to change all your passwords.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus