Windows Activation Ransomware

Ransomware is a type of malware that disables the victim’s ability to use their computer or access their data.  It can use encryption, registry interference, rights and security modifications or just plain old graphics overlays to accomplish its task.  The end result that the attacker desires is to charge the user a fee to get access back, and sometimes, obtain credit card information for sale on the black market, or for more fraudulent spending.

Gregg Keizer at ComputerWorld is reporting that a new Trojan has hit the wild, wooly, web, that in this case is trying to extort money from its victims by convincing them to dial expensive international telephone numbers to reactive Windows.  Once installed on a PC, the malware displays a message claiming that “This copy of Windows is locked.  You may be a victim of fraud or there may be an internal error,” and it must be reactivated.  The computer will not boot into either normal or Safe mode.  The victim is instructed to dial a long distance number, then enter a six-digit code to reactivate the operating system.  “The call from your country is free of charge,” the message falsely indicates.

The perps pretend to be Microsoft, and the telephone numbers actually lead to an automated call center where users are kept on hold for several minutes, racking up long-distance charges.  F-Secure is trying to determine the location of the call center.  The scammers make money through what F-Secure called “short stopping,” billing a call at a rate higher than the actual destination charges.

What can you do if you are the victim of a ransomware attack?

  • You can pay these clowns, perpetuating the threat, lose the $30 – 200 that is typically charged, and risk losing more money by handing them your credit card details.  (NOT recommended)
  • You can install a good reliable backup/restore mechanism.  Windows restore point is often tampered with, so I suggest Comodo Time Machine, Symantec Ghost, or one of many others available.
  • Tape backups are always a handy mechanism, provided you actually use them.  Few will.
  • Also, if you have another computer handy, you can google the message presented, and get its unlock code eventually.  In this case, F-Secure got unlock code: 1351236 from the call center.

“I hate the idea of paying money to these clowns,” said F-Secure’s representative. “Just enter that code.”


2 thoughts on “Windows Activation Ransomware

  1. Nobody is saying which versions of Windows are vulnerable to this 1351236 scam. Isn’t Windows 7 likely to be less vulnerable unless the user turns off the system alerts?

  2. In theory, yes. But, it really depends on the vector used to infect your system.

    If the code is activated by the user downloading and installing a percieved useful program, it is likely that the user won’t realize that the program is doing something nasty when prompted to allow the compromise to take place. Windows just asks if you want to allow “program X” to install or to continue.

    Even choosing the more information option just provides a minimal amount, and is generally useless for determining intent or what is being changed.

    I haven’t gotten a copy or analyzed the infecting code, so this is all elementary. The term “Trojan code” implies that it is hidden within some other program, though.


Comments are closed.