The Malwarebytes security team in cooperation with the independent security researcher @TheWack0lian have created free decryptors for a brand new version of ransomware which came out a week ago. The new ransomware imitates a tech support scam and employs the Pastebin API to save decryption keys.
Based on the file extension added at the end of all encrypted files (.vindows), the AVG security researcher Jakub Kroustek called the ransomware VindowsLocker.
What is the most significant about VindowsLocker is the fact that this ransomware variant makes use of tactics usually noticed in tech support scams.
The VindowsLocker ransomware demands its victims to call a phone number and talk to a call center operator, which is different from most ransomware families, employing a Dark Web portal to handle payment and decryption operations.
In general, what the infected users would see is tech support scammers mimick ransomware locking screens to scare victims into paying the tech support fee, and not the other way around.
The different thing about VindowsLocker ransomware is that it uses call center operators and the official Windows support page to give a false sense of legitimacy to the tech support operations offered to victims.
Despite the fact that the VindowsLocker creators demand $349.99 to unlock the victims’ computers, it is almost certain that the criminals won’t release their files after the ransom is paid.
This happens because the developers of VindowsLocker have messed up their code and the ability to automatically retrieve the encryption key used for each user is lost.
The VindowsLocker ransomware is coded in C# and it encrypts files with AES encryption algorithm. These are the following file types targeted for encryption:
txt, doc, docx, xls, xlsx, ppt, pptx, odt, jpg, png, csv, sql, mdb, sln, php, asp, aspx, html, xml, psd
Apart from imitating a tech support scam, the VindowsLocker ransomware differs from other ransomware families due to the fact that it doesn’t use a web-based C&C server to store the encryption keys of the victims.
The VindowsLocker ransomware comes hardcoded with two Pastebin API keys: api_dev_key and api_user_key. It uses the two API keys to save the name of the infected computer and the random AES key used to lock the victim’s files inside a Pastebin page.
“The author’s intention was to fetch the keys from Pastebin by logging in to their account and later selling them to the victims,” the Malwarebytes team states. “Using this smart technique, they wanted to avoid the trouble of establishing their own server.”
The problem is that the developers of VindowsLocker ransomware have misused one of the API keys, which was meant for usage for short user sessions. In other words, after some time, the API key expires, and the files stored to the VindowsLocker’s author profile were published online under a “guest” entry.
Due to the above-mentioned, the creators of VindowsLocker can’t retrieve the AES encryption keys and help the victims.
Every time the infected users call the tech support number, the call center operators enter in a remote desktop session with the victim’s computer. Then, the operators proceed to open the official Microsoft support page and paste a shortened URL in the address bar which opens a form (hosted on JotForm). The form is used for collecting the user’s personal data. In case the user doesn’t catch this quick action, he might believe that he’s still on the Microsoft website.
Though, the good news for the VindowsLocker’s victims is that there are free decrypters, released by Malwarebytes experts together with the security researchers Hasherezade and Jérôme Segura, and another one by @TheWack0lian, capable of releasing the encrypted files.