Ransomware plays pirated Windows card, demands $143

Scam tries to scare users with black screen and Microsoft logo; Panda's found the 'activation' code

Cybercriminals are trying to trick Windows users into paying [euro]100 ($143) by claiming that they're running a counterfeit copy of the operating system, a security expert said today.

The scam, a kind dubbed "ransomware" for the way criminals try to extort money, poses as a message from Microsoft that alleges Windows is pirated. In reality, the user is infected with malware acquired after following instructions received in malicious email messages or through peer-to-peer (P2P) networks.

"This is not the first time cybercriminals have tried to pose as Microsoft in order to gain enough credibility so users are fooled and will pay money, said Luis Corrons, the technical director of Panda Security's lab. "But this time they are getting a bit greedy."

Previous ransomware attempts that leverage Microsoft's brand have demanded only $15 to $20, said Corrons. In April, for example, Finnish antivirus vendor F-Secure reported a similar Windows activation scam that racked up charges by keeping users on hold to a high-priced long-distance number.

The malware and subsequent scam is being primarily pitched to German-language speakers, said Corrons.

At current exchange rates, [euro]100 is equivalent to nearly $143.

To enhance the believability of the scheme, the malware displays Microsoft's logo and the notorious black screen that Microsoft forces on counterfeit copies of Windows when its validation software recognizes a counterfeit.

According to Corrons, the on-screen instructions claim that unless the victim pays the ransom, all data on the machine will be lost. Local prosecutors will be notified unless payment is made within 48 hours, the scam adds.

"They have played two cards here," said Corrons, "saying they are Microsoft and that [prosecutors] are aware of the situation."

Both claims are fake, Corrons added. "After two days, nothing happens. You can still use your computer [and] no files are deleted," he said.

Payments must be made through one of two payment services relatively unknown in the U.S., but more widely used in Europe: Ukash and Paysafecard.

Panda has obtained the activation code that the scammers eventually send to paying customers. Like legitimate Windows activation codes, it's a 25-character alpha-numeric string: QRT5T-5FJQE-53BGX-T9HHJ-W53YT

"For all of you [who] wouldn't like to pay anything to these bastards, this is the code you can use to deactivate it," said Corrons.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies