Tech support scammers up their game with ransomware

This post was co-authored by @hasherezade and Jérôme Segura.

For those of us tracking tech support scams and seeing the evolution from cold calls, to fake alerts and eventually screen lockers, we knew what the next phase was going to be. And yet when it did happen, it still shocked us to see a ransom note with the photo of a technical support agent waiting for victims to phone in.

A new twist on an old scam

Security researcher @TheWack0lian pointed us to a tweet from @JakubKroustek about a new “Vindows [sic] Locker” which appeared to be actual ransomware encrypting files that demands a $349 ransom in a very broken English note:

"this not microsoft vindows support
we have locked your files with the zeus virus
do one thing and call level 5 microsoft support technician at 
1-844-609-3192
 you will files back for a one time charge of $349.99"

Contrary to most ransomware that asks for payment in Bitcoin, this one requires the victims to call a supposed Microsoft technician. If this sounds familiar it’s because it’s essentially a tech support scam using a different technique (not just fake warnings) but bona fide ransomware to force users to call for assistance.

In our recent report on the Anatomy of tech support scams, we had already described how those scams are getting more sophisticated and borrowing tricks from real malware authors. It seems we no longer have to wait for the next phase, it is now happening.

vindows

If you call the number, you will be connected to tech support scammers out of India impersonating Microsoft. They have no real intention of decrypting your files though as they simply want your money.

payment

To trick users, the technician opens up the real Microsoft support page and quickly pastes a shortened URL in the address bar. This redirects to the payment page which is actually a custom web form, powered by JotForm, a legitimate online form builder. If you proceed to fill in your information, you will be giving your hard earned cash to a bunch of online crooks who will never retrieve your files anyway.

If you have been affected by this ransomware, please keep reading below for the technical details and to download our free decryptor.

Inside the tech support scam ransomware

The VindowsLocker ransomware is written in C# and mildly obfuscated. Files are encrypted with AES and it adds the .vindows extension to each one.

It would not be particularly interesting, if not for its one trick. Most ransomware communicates with a C&Cs via simple HTTP based protocols. Often, the C&C has a form or a web application hosted on an Onion page. However, some malware authors break this established standard and come up with their own creative ways of passing data to their headquarter (i.e. the ransomware abusing Telegram API). In the current case, the authors have chosen yet another way – they abused Pastebin’s API.

Communication

The ransomware comes with two hardcoded Pastebin API keys (api_dev_key and api_user_key):

pastebin_api

The AES key, that is randomly generated on the victim machine, is pasted on Pastebin with their help.

Below, we can see a fragment of Wireshark capture, showing how the key is being sent:

vindows_sent

As we can see, the data is pasted as private (value 2) – so, only knowing the explicit URL or being logged into a specified account allows to retrieve the data. As the Pastebin API reference states:

We have 3 valid values available which you can use with the 'api_paste_private' parameter:
0 = Public
1 = Unlisted
2 = Private (only allowed in combination with api_user_key, as you have to be logged into your account to access the paste)

Pastebin returns an address of the created pastie, and if we open it, we can see out key placed on Pastebin:

pasted

The name of the pastie is generated from the infected user’s name. Here’s the format of the pasted data:

[infected machine GUID][random AES key]

in the above case, the key used to encrypt files was:

csVHRwL40U6Q2guvG&V!XR=jIx59BT1a

The author’s intention was to fetch the keys from Pastebin by logging in to their account and later selling them to the victims. Using this smart technique, they wanted to avoid the trouble of establishing their own server. However, they misunderstood the Pastebin API (they hardcoded a user_key) that was meant to be used for a single session. After the predefined period of time, the key expired. That’s why the pasties were assigned to ‘a Guest’, rather than to a specific account. Retrieving them in this intended way became no longer possible.

Attacked targets

This ransomware attacks the following extensions:

attacked_ext

It starts encrypting from the current user’s directory and follows recursively to all subdirectories.

Cryptography used

This ransomware uses only symmetric cryptography – AES in CBC mode. All the files are encrypted using the same key.

crypto_init

The key is not encrypted after use and not stored locally – only pasted on Pastebin, as it was shown before.

Fortunately, the authors of the VindowsLocker committed some mistakes in the way in which they applied the cryptographic solution and we managed to create a decryptor.

About the decryptor

You can download  the Vindows Decryption Tools from here.

You can also see the video on YouTube, illustrating how they works.

The package contains 2 commandline tools:
1. VindowsKeygen.exe
2. VindowsDecryptor.exe

The ‘headers’ folder contains a set of headers for supported formats – their role will be explained further.

How to use

WARNING: in order to work correctly, those tools require to be run directly on the infected machine (not on any other machine where the encrypted files were moved).

Use VindowsKeygen first, in order to find your key.
You need to prepare 1 encrypted file along with its decrypted copy. Supply them to the keygen via command line:

VindowsKeygen.exe <encrypted file> <valid file>

Example:

VindowsKeygen.exe square1.png.vindows square1.png

If you do not have a valid copy of any of your files, instead of the valid file you can use one of the pre-prepared headers that you will find in this package.
Choose a header from ‘headers’ directory, that has an extension corresponding to your encrypted file, i.e.:

VindowsKeygen.exe square1.png.vindows 16.png

Wait for your key to be generated. It may take from a few seconds up to a few minutes.
The key will be dumped to the file: vindows_key.txt

decryptor_example

When you have your key generated, copy it from the file vindows_key.txt and use VindowsDecryptor to recover the rest of your files.
Example:

VindowsDecryptor.exe ispdrNAkYla2AfUje/rfs8bOsy/m?wPI

Wait for your files to be decrypted.

run_decryptor

Conclusion

Tech support scammers have upped their game by evolving their tactics. Random cold calls yield little results compared to more aggressive and customized attacks. In fact getting into this business from scratch is not difficult at all thanks to affiliate and marketing channels, not to mention third party APIs and panels. Indeed, tech support scams as a service is a thing now and there’s much money to be made.

With the adoption of ransomware, this means that it’s no longer only the elderly and unsavvy users that are likely to get defrauded. Anybody who inadvertently installs a malicious program (often times a PUP), may be the scammers’ next victim.

Malwarebytes Anti-Malware customers are protected against the Vindows locker which we detect as Ransom.FileCryptor.

Click here for best antivirus and antispyware software

Powered by WPeMatico

This entry was posted in Antivirus and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.