Tech support scammers have been inspired by ransomware authors and have come up with lock screen claiming a user’s Windows license has expired. A tech support number is provided, and a fake Microsoft technician is happy to help so long as the victim pays to have their computer unlocked.
After installing whatever rogue program has been tainted with the screen locker, Malwarebytes reported that users will see what “truly resembles a genuine Microsoft program.” It installs and waits for the victim to restart their computer. Upon restart, “the program activates to take over the desktop and display what looks like Windows updates.”
Malwarebyte’s Jerome Segura said it is a bogus Windows update screen, but the average user would not know that.
“More troubling is the next screen that comes up and effectively disables the computer because of an expired license key," he said. "The message looks legitimate with the license key and computer name being retrieved from the victim’s actual computer.”
With the PC locked up, and the valid Windows product key being labeled as invalid, the average user would likely call the tech support number on the lock screen. After Malwarebytes called the number, a fake Microsoft technician revealed a hidden functionality, that hitting Ctrl+Shift+T would bring up a built-in installer for TeamViewer. The scammer refused to reveal more without being paid the $250 fee to unlock the PC. Malwarebytes did not pay.
If a victim refused to pay the extortion for the malware to be removed, he or she would seemingly be stuck with an unusable PC. As Segura wrote:
To be clear, this is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it.
Thankfully there are options to bypass the lock screen, at least for this particular malware variant.
Security researcher @TheWack0lian, who sent the malware sample to Malwarebytes, discovered that Ctrl+Shift+S “kills the winlocker and does nothing else.” The following hardcoded values, “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w” can be entered as the product key and may work to unlock the computer. Malwarebytes noted, “These may only work for this particular instance and not all versions of those lockers.”
VirusTotal currently lists only 13 of 56 antivirus solutions detecting this tech support locker, which came bundled in a tainted version of PC Cleaner (Win32.Trojan.Agent@PC Cleaner.exe); Malwarebytes Anti-Malware detects it as Rogue.TechSupportScam. However, this was not an isolated incident, as Malwarebytes pointed to two more recently submitted examples of ransomware-like screen lockers that claim the Windows product key is invalid and list a fake tech support number. This is setting a “worrying trend.”
Malwarebytes added, “This increased sophistication means that people cannot simply rely on common sense or avoid the typical cold calls from ‘Microsoft.’ Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone.”