The ransomware was discovered by researchers at security company Symantec. It acts as a Windows activation scam, claiming to be from Microsoft. By using social engineering techniques, the malware attempts to convince the user their Windows license has expired. It tells them to call a toll-free number where assistants will be able to reactivate Windows for a fee.
The program is styled to be visually similar to Microsoft’s Windows 10 marketing. It uses the Windows 10 hero image as its background graphic with a button styling that could be mistaken for an authentic Microsoft product. At the top of the screen, logos for remote desktop software TeamViewer and LogMeIn are present.
Needless to say, the ransomware authors aren’t affiliated with either of the two companies. Symantec speculated the logos are designed to reassure the ransomware’s victim, indicating professionalism. They could suggest a support worker will connect to the computer and guide the user through the process of “reactivating” Windows.
To the less technically savvy user, the screen could pass as a genuine Microsoft prompt. It does provide a usable toll-free number to call to obtain an unlock key, which Symantec contacted for more details and to find out the fee. After being placed on hold for over 90 minutes, the company was forced to hang up due to time constraints.
Returning to the program, Symantec began to analyse the source code for the ransomware. It found the malware to be “simplistic,” lacking a control server and any attempt to hide how it operates. Unlike most such programs, it does not generate unique encryption keys for each user, instead relying on a single unlock code that’s stored “in plain sight” within the source.
Despite the basic program, Symantec discovered the malware creators had set themselves up to run a sophisticated campaign. They had gone so far as to manipulate search engine results for the toll-free number to point to fake malware recovery websites.
These sites, created by the ransomware authors, advertised ways to remove the program without paying. They all end up advising against manual removal though, suggesting the best way to avoid “further damage” and “remove all the infections” is to contact the “cyber experts” and use the Automatic Removal Tool obtainable from the phone line.
The campaign is a more sinister evolution of the tech support scams that have plagued PC users for years. The fake Microsoft hotlines are evolving into a new kind of threat, utilising modern malware techniques to extort ransom fees from less technically-minded computer users.
To stay safe from ransomware, you should make regular backups to ensure you can easily restore your files if you do get infected. You should ignore any suspicious looking emails and badly worded popup prompts, even if they claim to be from Microsoft or your computer’s manufacturer.
In this case, the tell-tale bad grammar of the malware’s instructions, “Your Windows License has Expired, Please get a new one by calling on 1-888-303-5121 from Store Representative,” is a key indicator that it isn’t really Microsoft displaying the activation prompt.
The malware has been observed to be having some success in the US, according to Symantec. However, its creators’ dismal inability to write complex ransomware has now taken another unexpected turn. When The Register tried to call the toll-free phone line, it found it went straight though to voicemail.
The campaign appears to have been abruptly shut down, although it could still infect other users. The universal decrypt key on show within the code gives victims an easy way to recover their files, however. Entering the code 8716098676542789 into the app will restore all the encrypted data.
