We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Ransomware squeezes users with bogus Windows activation demand

But F-Secure sniffed out unlock code to stymie extortion scheme

A new Trojan tries to extort money from users by convincing them to dial international telephone numbers to reactive Windows, a security researcher said today.

Once on a PC, the malware displays a message claiming that Windows is "locked" and must be reactivated, said Mikko Hypponen, the chief research officer of Helsinki-based F-Secure. Users seeing the message cannot boot Windows in either normal or Safe mode, Hypponen said.

"This copy of Windows is locked. You may be a victim of fraud or there may be an internal error," the message states.

New 'ransomware' claims Windows needs to be reactivated. Image courtesy of F-Secure.

To regain control of the PC, users are told to reactivate Windows online or via a phone call. The former, however, is not available; a follow-up message instructs users to dial one of six telephone numbers, then enter a six-digit code to reactivate the operating system.

"The call from your country is free of charge," the second message alleges.

Not even close.

"They pretend to be Microsoft," said Hypponen, adding that the telephone numbers actually lead to an automated call center where users are kept on hold for several minutes, racking up long-distance charges.

F-Secure is trying to determine the location of the call center.

The scammers make money through what Hypponen called "short stopping," the practice of billing a call at a rate higher than the actual destination.

"The numbers are operated by rogue operators and lead to [countries with] very expensive phone rates, like the Dominican Republic or Somalia," Hypponen said in an interview Monday. "But the numbers actually end up in much cheaper countries. They charge you the full price.... That's how they make money."

F-Secure has seen that money-making mechanism used before in a Windows Mobile Trojan horse that secretly dialed international numbers to rack up charges via short stopping.

But it's new in "ransomware," the term describing malware that tries to extort a payment in return for returning control of the computer or its files to the owner.

"Ransomware makers come up with a new payment mechanism every time one is shut down," said Hypponen. One of the most prevalent pieces of ransomware, "GPcode," told victims to use a pre-paid credit card, an avenue that has since been blocked.

Extortion software like GPCode and the newest Trojan are not only booming, but present a clear danger to users, Hypponen argued.

"For the end user, most of the damage by malware is transient," he said. "If you're infected by a bot Trojan, your PC may send out lots of spam, but if anything, that slows down your PC only a bit. Even keyloaders, if they get ahold of your credit card, you don't actually lose money because you can get it back. But ransomware is bad news, because the PC is unusable or all your files are encrypted."

The solution to ransomware is to either fork over the payoff or roll back the PC to a prior backup, assuming one is available, said Hypponen,

Or in this case, enter the code F-Secure said was delivered by the call center, no matter what number is dialed.

That unlock code: 1351236.

"I hate the idea of paying money to these clowns," said Hypponen. "Just enter that code."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is [email protected] .

Read more about security in Computerworld's Security Topic Center.

IDG UK Sites

Apple promises developers better stability, performance for Swift

IDG UK Sites

5 things we hate about MWC: What it's like to be a journalist at a technology trade show

IDG UK Sites

Interview: Lauren Currie aims to help design students bridge skills gap

IDG UK Sites

12in Retina MacBook Air release date rumours: new MacBook Air to have fingerprint ID, could launch...