Tech support scammers have begun using ransomware to force users to pay for the “cleaning” of their infected computer.
Unlike most previous tech support schemes, this one tells the truth: the computer IS actually infected, with the so-called VindowsLocker ransomware.
The message it shows after encrypting the files (and adding the .vindows extension to them) is somewhat bizarre:
“this not microsoft vindows support. we have locked your files with the zeus virus. do one thing and call level 5 microsoft support technician at 1-844-609-3192. you will files back for a one time charge of $349.99.”
Users who call the offered number will get a tech support scammer in India, and the scammer will direct them towards a payment page/custom web form which the victims are required to fill out.
The form requests the users’ email, date of birth, social security number, credit card type, number, expiration date, CVV, and the amount that they need to pay. As far as I can tell, the scammers are after information that can be used to make fraudulent payments at a later date.
According to Malwarebytes, even if the victim provides this information, they won’t be receiving a decryption key from the crooks. That’s because the ransomware abuses Pastebin’s API to deliver encryption keys to the crooks by making a private post on Pastebin.
“The author’s intention was to fetch the keys from Pastebin by logging in to their account and later selling them to the victims,” the researchers explained.
“However, they misunderstood the Pastebin API (they hardcoded a user_key) that was meant to be used for a single session. After the predefined period of time, the key expired. That’s why the pasties were assigned to ‘a Guest’, rather than to a specific account. Retrieving them in this intended way became no longer possible.”
But, luckily for the victims, the ransomware uses only symmetric cryptography and all of their files are encrypted using the same key. And thanks to some implementation mistakes by the malware’s authors, Malwarebytes experts were able to create a decryptor tool.
It’s a combination of two command line tools: one for discovering the specific key with which the victim’s files have been encrypted, and the second one to use it to decrypt the files. For more in-depth instruction on how to use it, check out this blog post.
It’s not known how the ransomware-cum-tech support scam is delivered to victims’ computers.