A new piece of ransomware pretending to be a Windows Activation Screen is targeting American users. The copycat locks the victims` screens and then asks them to call free-of-charge number to retrieve access to their computers.
The security researcher S!Ri, closely followed by the Symantec`s team, were the first to run across the newcomer. Unlike other similar threats, this ransomware hasn’t been massively spread yet, with just a few infections here and there.
Another thing proving that this ransomware stands out is that it shows details which lead experts to believe it has been masterly planned beforehand and it`s not another creation of some petty criminal wannabe.
The ransomware`s distributor is a program named freedownloadmanager.exe. If a user has it installed onto their PC it would execute the ransomware itself and the victim would no longer has control over their machine. The computer screen would be changed to the standard Windows 10 wallpaper and an input field. Above this input field is shown the following message:
“Your Windows Licence has Expired, Please get a new one by calling on 1-888-303-5121.”
On the top of this message are the icon of the LogMeIn and TeamViewer applications both of which allow anyone to access your computer. Even though their main purpose is not clear yet, experts thing that they may have been packed inside the ransomware on purpose. If so, the cybercriminals could easily log into the victims` PCs and reactivate them after they have called the free-of-charge number.
After trying to call the number as a test, the Symantec`s team was very surprised as they didn’t get an answer for 90 minutes. This brings up a possibility that the number is fake and if this is the case the price to unlock this type of ransomware is unknown at the moment.
However, the things are continuing to tangle more and more. When researchers decide to “google” the number it resulted to a lot of suspicious pages advising victims to pay the fee to regain control over their computers.
According to Symantec, these search results are poisoned and created only to mislead people to think there is no another solution for getting rid of the activation screen forcing them to pay up.
The good news is that the VMRay developer, Chad Loeven, together with the Symantec experts found an easy way to remove the ransomware. All users should do is type “8716098676542789” in the input field and they will once again have access to their machines.