A cybercriminal gang is putting a new, and somewhat confusing, spin on the classic tech support scam using a new strain of ransomware to lock up a victim’s computer and then asking the person to call a Microsoft customer support number for help.
The software has been dubbed VindowsLocker ransomware by Malwarebytes Labs’ researchers and was apparently developed by a group that is reminiscent of Butch Cassidy’s Hole in the Wall Gang, definitely dangerous, mixed with a bit of incompetence. Unlike traditional tech support scams that just try to suck money from its victims by pretending to be helpful, VindowsLocker creates a real problem by locking up the victim’s files and then offers to help.
Jerome Segura, Malwarebytes Labs lead malware intelligence analyst, took a deep look at VindowsLocker uncovering both the comical and serious sides of the malware. Segura is not yet certain how the ransomware is spread nor how many people have been victimized, but both he and other researchers have discovered its basic modus operandi.
Instead of simply pretending to be a legitimate tech support person through a pop up or and email, the bad guys post an image to the victim’s display showing the smiling face of the supposed tech support person, along with a very contradictory ransom note. Malwarebytes reposted a tweet from Jakub Kroustek, a malware analyst at Avast, showing what a victim receives.
— Jakub Kroustek (@JakubKroustek) November 21, 2016
“The first part of the message refers to the infection being done by attackers and not Microsoft. The second part of the message says that this is Microsoft trying to help. It is a little confusing though,” Segura told SC Media in an email.
There is also a flagrant lie in the note. Zeus ransomware is not involved with this attack, Segura said.
The VindowsLocker ransomware uses AES encryption and is mildly obfuscated and each encrypted file receives a .vindows extension. Segura described the ransomware’s code and tactics as run of the mill, except for one item. It does not use a command and control server to report back, but instead the bad guys abused Pastebin’s API in what turned out to be a failed attempt to create an easy way to store the key.
“The ransomware comes with two hardcoded Pastebin API keys. The AES key, that is randomly generated on the victim machine, is pasted on Pastebin with their help,” Segura wrote, adding that the author’s intention was to be able to retrieve the keys from Pastebin by simply logging into their account.
Fortunately, the cybercriminals have as much trouble understanding how Pastebin’s API works as they do with the English language.
“However, they misunderstood the Pastebin API (they hardcoded a user_key) that was meant to be used for a single session. After the predefined period of time, the key expired. Retrieving them in this intended way became no longer possible,” he said.
This means the person’s files cannot be decrypted by the criminals. This error spotlights the criminal’s apparent lack of professionalism. They created a decent ransomware package, but bundled it with a muddled social engineering message and a major coding flaw.
“Yes, it is quite amateur work but the encryption was implemented properly. Had they done the Pastebin API properly, it would have been a decent ransomware package,” Segura said.
Another way Vindows differs from traditional ransomware attacks is in its payment methodology. Instead of demanding payment in untraceable bitcoin, the friendly, smiling tech support scammer forces the person to call a phone number. The call leads to the scammers themselves, located in India, who the use the malicious code to open up a payment window on the victim’s computer.
However, anyone filling out the form and sending in the $349.99 ransom are simply tossing away their money because, as was mentioned, the crooks do not have the ability to decrypt the files.
On the bright side Malwarebytes has available a free VindowsLocker decryption tool.