“Windows license locked”: Ransomware Targets Windows

Windows license locked!
“This copy of Windows is locked. You may be a victim of fraud or there may be an internal system error” – malware message

Mikko Hyppönen of F-Secure has warned of a new variant of what he calls “Ransomware” or ransom trojans. These are attacks by malware that takes a computer hostage and then tries to extort a payment in return for returning control of the computer or its files to the owner. Sometimes, the malware will encrypt files (using AES – Advanced Encryption Standard, for example) until  some “ransom” is paid by buying a key to unlock the hostage computer.

The attack tries to extort money from users by pretending to be Microsoft and convincing the victims to dial international telephone numbers to” reactivate” Windows. The initial stage of the attack displays a message claiming that Windows is “locked” and must be reactivated. At this stage, the victims are unable to boot their computers into normal or even safe mode.

“To regain control of the PC, users are told to reactivate Windows online or via a phone call. The former, however, is not available; a follow-up message instructs users to dial one of six telephone numbers, then enter a six-digit code to reactivate the operating system.” The telephone numbers actually lead to an automated call center where users are kept on hold for several minutes, racking up long-distance charges.

While these numbers may look like generic service numbers, they aren’t.
•  002392216368
•  002392216469
•  004525970180
•  00261221000181
•  00261221000183
•  00881935211841

The numbers go to various countries (“00” is the prefix for international dialing). The countries are: São Tomé and Principe (239), Denmark (45), Madagascar (261) and Globalstar Mobile Satellite Service (8819).

The trojan claims that the call is “free of charge” but it isn’t, and the trojan author will earn money from the call via a technique known as short stopping. This method involves rogue phone operators who route the expensive calls to cheaper countries.

After three minutes or so, the caller is given this unlock code: 1351236 and the unlock code appears to be the same every time the number is called. Mikko believes that this number will unlock any affected computer. As he put it, “I hate the idea of paying money to these clowns, just enter that code.”

He explains that it is a pretty clever bit of social engineering and that some victims may never even realize that they’ve been scammed. The scammers make money through “short stopping,” or the practice of billing a call at a rate higher than the actual destination.

F-Secure detect this trojan as Trojan.Generic.KDV.153863 (with a hash of md5: 9a6f87b4be79d0090944c198a68012b6).

You can watch Mikko’s video of the malware here.