We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,785 News Articles

Ransomware plays pirated Windows card, demands $143

Scam tries to scare users with black screen and Microsoft logo; Panda's found the 'activation' code

Cybercriminals are trying to trick Windows users into paying [euro]100 ($143) by claiming that they're running a counterfeit copy of the operating system, a security expert said today.

The scam, a kind dubbed "ransomware" for the way criminals try to extort money, poses as a message from Microsoft that alleges Windows is pirated. In reality, the user is infected with malware acquired after following instructions received in malicious email messages or through peer-to-peer (P2P) networks.

"This is not the first time cybercriminals have tried to pose as Microsoft in order to gain enough credibility so users are fooled and will pay money, said Luis Corrons, the technical director of Panda Security's lab. "But this time they are getting a bit greedy."

Previous ransomware attempts that leverage Microsoft's brand have demanded only $15 to $20, said Corrons. In April, for example, Finnish antivirus vendor F-Secure reported a similar Windows activation scam that racked up charges by keeping users on hold to a high-priced long-distance number.

The malware and subsequent scam is being primarily pitched to German-language speakers, said Corrons.

At current exchange rates, [euro]100 is equivalent to nearly $143.

To enhance the believability of the scheme, the malware displays Microsoft's logo and the notorious black screen that Microsoft forces on counterfeit copies of Windows when its validation software recognizes a counterfeit.

According to Corrons, the on-screen instructions claim that unless the victim pays the ransom, all data on the machine will be lost. Local prosecutors will be notified unless payment is made within 48 hours, the scam adds.

"They have played two cards here," said Corrons, "saying they are Microsoft and that [prosecutors] are aware of the situation."

Both claims are fake, Corrons added. "After two days, nothing happens. You can still use your computer [and] no files are deleted," he said.

Payments must be made through one of two payment services relatively unknown in the U.S., but more widely used in Europe: Ukash and Paysafecard.

Panda has obtained the activation code that the scammers eventually send to paying customers. Like legitimate Windows activation codes, it's a 25-character alpha-numeric string: QRT5T-5FJQE-53BGX-T9HHJ-W53YT

"For all of you [who] wouldn't like to pay anything to these bastards, this is the code you can use to deactivate it," said Corrons.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.


IDG UK Sites

Android One vs Android Silver vs Google Nexus: What is the difference?

IDG UK Sites

Apple updates MacBook Pro line-up: Price cuts & spec boosts for 6 MacBook Pro models

IDG UK Sites

Long live the internet fridge: the Internet of Things is coming

IDG UK Sites

How Prometheus' colourist Juan Ignacio Cabrera gave a tense, edgy feel to Chosen