"The infections are occurring after users are lured to a drive-by download site where a dropper installs the Citadel malware, which, according to the Trusteer report, uploads Revton's ransomware DLL from Citadel's command and control server," writes Threatpost's Brian Donohue. "The Citadel strain locks down its host computer, displaying a fake message warning users that their computer has been identified by the Computer Crime and Intellectual Property Section of the US DoJ for having visited websites containing child pornography or other illegal content, and thus, violating US federal law. In order to unlock their machines, users are prompted to pay a $100 fine to the DoJ."
Regardless of the user's action, the Citadel malware continues to operate on the infected machine, enabling its operators to commit online banking and credit card fraud.
"It is clear from this and similar attacks we have discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack," writes Trusteer's Amit Klein. "Through a combination of social engineering, data capturing and communication tampering these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies in order to commit fraud or steal sensitive information. We have to recognize that cyber-crime and cyber-security protection begins with the endpoint now more than ever."