Phone-based Windows support scams have been going on for at least six years despite repeated warnings from Better Business Bureau, Royal Canadian Mounted Police, the FBI, and Microsoft themselves.
Now, the tech support scammers are too taking on their data hostage by targeting unsuspecting internet users with a combination of social engineering and deception. The malicious tactic has evolved from cold calls to fake alerts and most recently, screen locks. Tech support scammers have now added ransomware to their attack arsenal.
AVG security researcher Jakub Kroustek first spotted the ransomware which he named VindowsLocker based on the file extension it added at the end of all encrypted files (.vindows). The VindowsLocker ransomware uses the AES encryption algorithm to lock files with the following extensions:
txt, doc, docx, xls, xlsx, ppt, pptx, odt, jpg, png, csv, sql, mdb, sln, php, asp, aspx, html, xml, psd
To attack, the victims are called upon by hackers claiming to be a Microsoft support rep that is checking up on reports of errors or a malware infection on the victim’s computer. The caller then asks the victim to download a diagnostic tool, usually a legitimate remote support app like LogMeIn Rescue or Teamviewer. A connection is established to the “troubled” computer and then the smoke and mirrors routine begins.
Thereafter, commands are run. Files and lengthy text logs are displayed on the screen, which indicate a serious problem. For a fee, of course, the scammer will gladly take care of everything. They’ll even offer to install a “protection package” to keep the victim safe down the road. The victim is asked to call a phone number provided and talk to a tech support personnel, which is different from most ransomware families that employ a Dark Web portal to handle payment and decryption operations.
Now, Malwarebytes and independent security researcher @TheWack0lian have released a free decryption tool to help victims of a recent ransomware attack recover their data from cyber criminals employing a tech support scam technique. VindowsLocker which surfaced last week works by connecting victims to phoney Microsoft technicians to have their files encrypted using a Pastebin API.
This ransomware stands out from all others because it uses tech support scams and it extorts larger payments from the victims.