A new word might be trending at the security blogs and antivirus websites soon. It would be called
Ransomware. While keenly naming viruses and malicious software to some sort of glorified taxonomy is a bad idea, Ransomware is a clever malware and exploit at the user’s intial reaction of panic when faced with a computer virus.
The Security Researchers at F-PROT Antivirus has come across a unique method of what they call as Ransomware. In essence, Ransomware type malware; threatens you that your files will be locked/deleted unless you follow the hackers instructions to purchase a certain product or send money to his bank account.
F-PROT Security Experts Mikko Hypponen and Sean Sullivan discussed in their company’s F-Secure Blog about the latest approach taken by malware. By hijacking the boot process of Windows, the malicious Ransomware prevents the users from logging-into Windows.
A computer infected with Ransomware is presented with a fake Windows installation screen during startup.
This screen hijacks the normal process of Windows. The fake warning screening tells the user that their Windows operating system needs to be “activated”. The scammers play on the idea and fear of users that their files may be lost if they should not activate Windows.
Ransomware performs a fake internet activation, and then proceeds to say that internet verification is invalid. A user is tricked to perform a telephone activation instead.
A list of
fake international Microsoft Tech Support Call Centers are given.
• 002392216368
• 002392216469
• 004525970180
• 00261221000181
• 00261221000183
• 00881935211841
Calling any of these supposed Microsoft Tech Support Call Center numbers will actually set you to a long distance call. Upon prolonged ringing and waiting, callers hear a recorded message that Tech Support Agents are busy and that their call is placed on hold. After more than 3 minutes of waiting on tech support queue, a recorded voice prompt narrate the activation code. Not surprisingly enough, the activation code works and it unlocks the computer.
How Ransomware Scammers Gain Profit
Ransomware scammers typically collect “ransom” money from their multiple bank and paypal accounts. In the case of the phone activation scam, it is highly suspected that the ransomware scammers have ties with international telcos that possibly route calls to the more expensive path (contrary to the standard of routing calls to the cheapest possible route).
The supposed long wait time when calling the fake Microsoft Tech Support Call Center number is a lie. It simply wants the user to accumulate as much international call minutes before learning of the activation code. Checking the fake call center numbers lead to country codes which are all expensive to call:
239 - São Tomé and Principe
45 – Denmark
264 – Madagascar
8819 - Globalstar Mobile Satellite Service (a very expensive satellite mobile service)
Also, F-PROT has determined on their experiments that the activation code is the same for all infections. The recorded and fake activation code is:
1351236
If in case you know someone that has a similar virus/malware, suggest him to update his antivirus software and perform an antivirus scan. If in case the device is hit by the same malware try the unlock code
1351236.
Backup your files and reformat or restore to a non-virus infected restore point.
===========
User-only privilege adds extra security from virus and malware
A quick note on a still effective practice: User-only privilege helps prevent virus and malware infections.
A study from
BeyondTrust 2010 Microsoft Vulnerability Analysis states that users that use non-administrator privileged accounts are less prone to virus attacks and installing malware.
The lack of rights for software and driver installation on user profiles ensure that only administrator allowed programs and drivers can be installed.