Now that ransomware is on the brain, a few crooks posing as tech support are tailoring their skills to work the system. A lock screen appears on your PC and claims that a users Windows license has expired and to simply call the tech support number provided in order to quickly and effortlessly solve the problem. A fake Microsoft technician answers the line and is more than happy to help, if you are willing to pay the price.
Users will see a lock screen appear on their machine that truly resembles a genuine Microsoft program. After the program installs it waits patiently for the user to restart the PC. After the restart the program activates and sequentially takes over the desktop and displays a highly sophisticated Windows Update screen. Unrecognizable to the naked eye that this is in fact ransomware.
After the program activation, the infected PC will display a screen that tells the user the desktop has been made effectively disabled because of an expired license key, with the computer name being taken from the victims actual PC. Now that the PC is locked, the user thinks they are doing the right thing by calling the number provided and talking to who they think is a tech support working for Microsoft.
Malwarebytes called the number, and a fake Microsoft technician revealed a hidden functionality. Hitting Ctrl+Shift+T would bring up a built-in installer for TeamViewer. The tech support scammer on the other end of the call refused to give much more information without the $250 to unlock the PC, which of course, Malwarebytes did not pay.
If a user refused to pay the fee requested, they would have little resources to fix the machine on their own. Fortunately, security researchers have found a small loop hole. Discovered by @TheWack0lian, Ctrl+Shift+S will allow users to kill the winlocker without touching the contents of their machine. The hardcoded values “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w” can be entered as the product key. These may work to unlock the machine, but is not a fix across the board as they will not work for all versions of the lockers.
If you would like to educate yourself in more detail about the information presented in this blog post please visit: Ransomware-like tech support scam locks screen, labels Windows product key as invalid
