A couple of days ago Symantec researchers discovered a ransomware/tech support scam which mimics the Windows Activation Screen, locks the victims` computers and asks them to call a number shown on the screen to regain access on them.
Now, according to Malwarebytes and Bleeping Computer, another, similar to the above mentioned, scam has been detected. Researchers say that this kind of Windows Activation screen imitating frauds aren’t innovative at all but this is the first time two of them have been noticed in such a short period of time.
This tech support scam operates in a simple way locking the victims` computers and demanding they enter a Windows product key or call the number show on the screen to unlock their machines. This is why InfoSec experts also refer to it as ransomware.
Entering the real Windows key, though, won`t help victims regain control over their computers. Actually, any text they enter in the field would cause the standard Windows 10 setting page to appear, even if they are running another Windows version. This must be more than enough for users to realize this is a scam. If not, the activation screen interface which features a wonky UI that’s not properly aligned is the clearest sign there could be, given the fact that Microsoft`s UI team would never release something like that.
Anyway, if the users somehow overlook all these signs, when they click anywhere on the screen, the ransomware will read out loud:
“Please activate your Window call to us on 1-888-414-4284.”
The Bleeping Computer researcher, Lawrence Abrams, says he called the number and he was asked to pay $99.99 for a new product key.
Going deeper with the investigation Abrams also found support for opening applications such as cmd.exe, Windows Explorer, TeamViewer, LogMeIn, and Supremo.
Given that TeamViewer, LogMeIn, and Supremo are all used for login in other computers, it is clear that the crooks behind this scam are using them to unlock the victims` screens after they pay.
Unluckily for the scammers but luckily for all users, security researchers managed to find a way to crack the malicious code as it was once again included in the ransomware`s source code.
In order to unlock their screens without paying, the users just have to enter in the input field five times the word “close”, without spaces (closecloseclosecloseclose). In case it doesn’t work, rebooting the PC after entering the code should be enough to fix the problem.