The developers of the Reveton ransom malware could have added a new module that uses keylogging as a backup tactic in case the victim refuses to pay up, Microsoft has found.

Distributed using the Blackhole Exploit Kit, the malware starts out by throwing up a localised lock screen demanding money on bogus pretences, usually a standard police fine warning for a non-existent computer offence.

In the background, however, Reveton downloads a separate password-stealing component stitched in from an older piece of malware, which scours the system for a wide range of logins; FTP, gaming, email, IM, storage and any passwords stored using the browser are all targeted.

It’s a not a hugely unexpected development but it has one important implication; even if the user finds a way of de-installing the ransom segment of the malware that might not stop the keylogger, which will continue to work.

The innovation could be part opportunistic and part reaction to the increasing success of counter-measures against ransom malware as security vendors finally offer better protection and recovery.

What Microsoft’s research does reveal is that this particular variant of Blackhole was proving hugely effective in January 2013, around the time it started hitting the CVE-2013-0422 Java vulnerability, infecting hundreds of thousands of PCs.

Also closely associated with the Citadel banking Trojan, an alleged key developer of Reveton was arrested in Dubai in February after security companies and police traced the malware’s payment channel through Spain.

It's not clear whether the newly-reported feature dates from after that point in time or was already in the pipeline. Reveton appears disrupted but it is too soon to say it is dead.