We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Ransomware plays pirated Windows card, demands $143

Scam tries to scare users with black screen and Microsoft logo; Panda's found the 'activation' code

Cybercriminals are trying to trick Windows users into paying [euro]100 ($143) by claiming that they're running a counterfeit copy of the operating system, a security expert said today.

The scam, a kind dubbed "ransomware" for the way criminals try to extort money, poses as a message from Microsoft that alleges Windows is pirated. In reality, the user is infected with malware acquired after following instructions received in malicious email messages or through peer-to-peer (P2P) networks.

"This is not the first time cybercriminals have tried to pose as Microsoft in order to gain enough credibility so users are fooled and will pay money, said Luis Corrons, the technical director of Panda Security's lab. "But this time they are getting a bit greedy."

Previous ransomware attempts that leverage Microsoft's brand have demanded only $15 to $20, said Corrons. In April, for example, Finnish antivirus vendor F-Secure reported a similar Windows activation scam that racked up charges by keeping users on hold to a high-priced long-distance number.

The malware and subsequent scam is being primarily pitched to German-language speakers, said Corrons.

At current exchange rates, [euro]100 is equivalent to nearly $143.

To enhance the believability of the scheme, the malware displays Microsoft's logo and the notorious black screen that Microsoft forces on counterfeit copies of Windows when its validation software recognizes a counterfeit.

According to Corrons, the on-screen instructions claim that unless the victim pays the ransom, all data on the machine will be lost. Local prosecutors will be notified unless payment is made within 48 hours, the scam adds.

"They have played two cards here," said Corrons, "saying they are Microsoft and that [prosecutors] are aware of the situation."

Both claims are fake, Corrons added. "After two days, nothing happens. You can still use your computer [and] no files are deleted," he said.

Payments must be made through one of two payment services relatively unknown in the U.S., but more widely used in Europe: Ukash and Paysafecard.

Panda has obtained the activation code that the scammers eventually send to paying customers. Like legitimate Windows activation codes, it's a 25-character alpha-numeric string: QRT5T-5FJQE-53BGX-T9HHJ-W53YT

"For all of you [who] wouldn't like to pay anything to these bastards, this is the code you can use to deactivate it," said Corrons.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is [email protected] .

See more articles by Gregg Keizer .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite