microsoft Ransomware Mimics Windows Activation Screen, Uses Poisoned Search Results

[vissha]

Ransomware Mimics Windows Activation Screen, Uses Poisoned Search Results

 

 

Unlock code discovered, users can bypass the scam

 

Quote

A new screen-locking ransomware is targeting mainly US users, posing as a Windows activation window and asking users to call a toll-free number to regain access to their PC.

 

The ransomware was first spotted by security researcher S!Ri and then by Symantec's team, and is not distributed en mass like other threats, with just a few infections here and there.

 

What makes this ransomware different are some of the smaller details that reveal this is not your casual screen-locker ransomware bought off the Dark Web by a small-time crook, but something that has been well-planned in advance.

 

Ransomware distributed via freedownloadmanager.exe file

 

First and foremost, infections occur via a program called freedownloadmanager.exe, which some users might install on their computer.

 

This actually installs the ransomware, which takes over the user's screen and shows a screen with the standard Windows 10 wallpaper, and an input field. Above this input field, there's the following message:

 

Quote

“  Your Windows Licence has Expired , Please get a new one by calling on 1-888-303-5121  ”

 

Above this message are the icons of two applications, LogMeIn and TeamViewer. Both are legal and safe applications which allow someone to log onto a remote computer.

 

The role of these shortcuts is unclear at the moment, but they might be fully working apps packed inside the ransomware that might allow a crook log into the user's desktop to reactivate the computer when calling the toll-free number.

 

Nobody answers the toll-free number

 

This is only speculation since Symantec called the number shown on the screen, as a test, but nobody answered for 90 minutes. As such, the price it might take to unlock this type of ransomware is unknown at the moment.

 

Things get weirder when searching Google for the toll-free number. This search yields a large number of results that advise users to pay the fee to get rid of the activation screen.

 

Symantec says that these look like poisoned search results, most likely created and promoted using black hat SEO techniques by the hackers to convince users to pay for the activation fee.

 

Fortunately, Symantec's developers, and VMRay developer Chad Loeven, have discovered that by typing 8716098676542789 in the activation field will remove the ransomware.

 

 

Source

[straycat19]

Why not?  Windows 10 mimics malware so turn about is fair play, right? 

 

54 minutes ago, vissha said:

Nobody answers the toll-free number

 

Damn they are really doing a good job of imitating Microsoft.  Too bad they don't write an OS, they could make a fortune and it would probably be more secure.