Ransomware squeezes users with bogus Windows activation demand
But F-Secure sniffed out unlock code to stymie extortion scheme
Computerworld - A new Trojan tries to extort money from users by convincing them to dial international telephone numbers to reactive Windows, a security researcher said today.
Once on a PC, the malware displays a message claiming that Windows is "locked" and must be reactivated, said Mikko Hypponen, the chief research officer of Helsinki-based F-Secure. Users seeing the message cannot boot Windows in either normal or Safe mode, Hypponen said.
"This copy of Windows is locked. You may be a victim of fraud or there may be an internal error," the message states.
To regain control of the PC, users are told to reactivate Windows online or via a phone call. The former, however, is not available; a follow-up message instructs users to dial one of six telephone numbers, then enter a six-digit code to reactivate the operating system.
"The call from your country is free of charge," the second message alleges.
Not even close.
"They pretend to be Microsoft," said Hypponen, adding that the telephone numbers actually lead to an automated call center where users are kept on hold for several minutes, racking up long-distance charges.
F-Secure is trying to determine the location of the call center.
The scammers make money through what Hypponen called "short stopping," the practice of billing a call at a rate higher than the actual destination.
"The numbers are operated by rogue operators and lead to [countries with] very expensive phone rates, like the Dominican Republic or Somalia," Hypponen said in an interview Monday. "But the numbers actually end up in much cheaper countries. They charge you the full price.... That's how they make money."
F-Secure has seen that money-making mechanism used before in a Windows Mobile Trojan horse that secretly dialed international numbers to rack up charges via short stopping.
But it's new in "ransomware," the term describing malware that tries to extort a payment in return for returning control of the computer or its files to the owner.
"Ransomware makers come up with a new payment mechanism every time one is shut down," said Hypponen. One of the most prevalent pieces of ransomware, "GPcode," told victims to use a pre-paid credit card, an avenue that has since been blocked.
Extortion software like GPCode and the newest Trojan are not only booming, but present a clear danger to users, Hypponen argued.
"For the end user, most of the damage by malware is transient," he said. "If you're infected by a bot Trojan, your PC may send out lots of spam, but if anything, that slows down your PC only a bit. Even keyloaders, if they get ahold of your credit card, you don't actually lose money because you can get it back. But ransomware is bad news, because the PC is unusable or all your files are encrypted."
The solution to ransomware is to either fork over the payoff or roll back the PC to a prior backup, assuming one is available, said Hypponen,
Or in this case, enter the code F-Secure said was delivered by the call center, no matter what number is dialed.
That unlock code: 1351236.
"I hate the idea of paying money to these clowns," said Hypponen. "Just enter that code."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts