Ransomware squeezes users with bogus Windows activation demand
But F-Secure sniffed out unlock code to stymie extortion scheme
Computerworld - A new Trojan tries to extort money from users by convincing them to dial international telephone numbers to reactive Windows, a security researcher said today.
Once on a PC, the malware displays a message claiming that Windows is "locked" and must be reactivated, said Mikko Hypponen, the chief research officer of Helsinki-based F-Secure. Users seeing the message cannot boot Windows in either normal or Safe mode, Hypponen said.
"This copy of Windows is locked. You may be a victim of fraud or there may be an internal error," the message states.
To regain control of the PC, users are told to reactivate Windows online or via a phone call. The former, however, is not available; a follow-up message instructs users to dial one of six telephone numbers, then enter a six-digit code to reactivate the operating system.
"The call from your country is free of charge," the second message alleges.
Not even close.
"They pretend to be Microsoft," said Hypponen, adding that the telephone numbers actually lead to an automated call center where users are kept on hold for several minutes, racking up long-distance charges.
F-Secure is trying to determine the location of the call center.
The scammers make money through what Hypponen called "short stopping," the practice of billing a call at a rate higher than the actual destination.
"The numbers are operated by rogue operators and lead to [countries with] very expensive phone rates, like the Dominican Republic or Somalia," Hypponen said in an interview Monday. "But the numbers actually end up in much cheaper countries. They charge you the full price.... That's how they make money."
F-Secure has seen that money-making mechanism used before in a Windows Mobile Trojan horse that secretly dialed international numbers to rack up charges via short stopping.
But it's new in "ransomware," the term describing malware that tries to extort a payment in return for returning control of the computer or its files to the owner.
"Ransomware makers come up with a new payment mechanism every time one is shut down," said Hypponen. One of the most prevalent pieces of ransomware, "GPcode," told victims to use a pre-paid credit card, an avenue that has since been blocked.
Extortion software like GPCode and the newest Trojan are not only booming, but present a clear danger to users, Hypponen argued.
"For the end user, most of the damage by malware is transient," he said. "If you're infected by a bot Trojan, your PC may send out lots of spam, but if anything, that slows down your PC only a bit. Even keyloaders, if they get ahold of your credit card, you don't actually lose money because you can get it back. But ransomware is bad news, because the PC is unusable or all your files are encrypted."
The solution to ransomware is to either fork over the payoff or roll back the PC to a prior backup, assuming one is available, said Hypponen,
Or in this case, enter the code F-Secure said was delivered by the call center, no matter what number is dialed.
That unlock code: 1351236.
"I hate the idea of paying money to these clowns," said Hypponen. "Just enter that code."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts