November 29, 2016
For those of us tracking tech support scams and seeing the evolution from cold calls, to fake alerts and eventually screen lockers, we knew what the next phase was going to be. And yet when it did happen, it still shocked us to see a ransom note with the photo of a technical support agent waiting for victims to phone in.
A new twist on an old scam
Security researcher @TheWack0lian pointed us to a tweet from @JakubKroustek about a new “Vindows [sic] Locker” which appeared to be actual ransomware encrypting files that demands a $349 ransom in a very broken English note:Contrary to most ransomware that asks for payment in Bitcoin, this one requires the victims to call a supposed Microsoft technician. If this sounds familiar it’s because it’s essentially a tech support scam using a different technique (not just fake warnings) but bona fide ransomware to force users to call for assistance.
In our recent report on the Anatomy of tech support scams, we had already described how those scams are getting more sophisticated and borrowing tricks from real malware authors. It seems we no longer have to wait for the next phase, it is now happening.
If you call the number, you will be connected to tech support scammers out of India impersonating Microsoft. They have no real intention of decrypting your files though as they simply want your money.
To trick users, the technician opens up the real Microsoft support page and quickly pastes a shortened URL in the address bar. This redirects to the payment page which is actually a custom web form, powered by JotForm, a legitimate online form builder. If you proceed to fill in your information, you will be giving your hard earned cash to a bunch of online crooks who will never retrieve your files anyway.
If you have been affected by this ransomware, please keep reading below for the technical details and to download our free decryptor.
Inside the tech support scam ransomware
The VindowsLocker ransomware is written in C# and mildly obfuscated. Files are encrypted with AES and it adds the .vindows extension to each one.
It would not be particularly interesting, if not for its one trick. Most ransomware communicates with a C&Cs via simple HTTP based protocols. Often, the C&C has a form or a web application hosted on an Onion page. However, some malware authors break this established standard and come up with their own creative ways of passing data to their headquarter (i.e. the ransomware abusing Telegram API). In the current case, the authors have chosen yet another way – they abused Pastebin’s API.
The ransomware comes with two hardcoded Pastebin API keys (api_dev_key and api_user_key):
The AES key, that is randomly generated on the victim machine, is pasted on Pastebin with their help.
Below, we can see a fragment of Wireshark capture, showing how the key is being sent:
As we can see, the data is pasted as private (value 2) – so, only knowing the explicit URL or being logged into a specified account allows to retrieve the data. As the Pastebin API reference states:
Pastebin returns an address of the created pastie, and if we open it, we can see out key placed on Pastebin:
The name of the pastie is generated from the infected user’s name. Here’s the format of the pasted data:
in the above case, the key used to encrypt files was:
The author’s intention was to fetch the keys from Pastebin by logging in to their account and later selling them to the victims. Using this smart technique, they wanted to avoid the trouble of establishing their own server. However, they misunderstood the Pastebin API (they hardcoded a user_key) that was meant to be used for a single session. After the predefined period of time, the key expired. That’s why the pasties were assigned to ‘a Guest’, rather than to a specific account. Retrieving them in this intended way became no longer possible.
This ransomware attacks the following extensions:
It starts encrypting from the current user’s directory and follows recursively to all subdirectories.
This ransomware uses only symmetric cryptography – AES in CBC mode. All the files are encrypted using the same key.
The key is not encrypted after use and not stored locally – only pasted on Pastebin, as it was shown before.
Fortunately, the authors of the VindowsLocker committed some mistakes in the way in which they applied the cryptographic solution and we managed to create a decryptor.
About the decryptor
You can download the Vindows Decryption Tools from here.
You can also see the video on YouTube, illustrating how they works.
The package contains 2 commandline tools:
The ‘headers’ folder contains a set of headers for supported formats – their role will be explained further.
How to use
WARNING: in order to work correctly, those tools require to be run directly on the infected machine (not on any other machine where the encrypted files were moved).
Use VindowsKeygen first, in order to find your key.
You need to prepare 1 encrypted file along with its decrypted copy. Supply them to the keygen via command line:
If you do not have a valid copy of any of your files, instead of the valid file you can use one of the pre-prepared headers that you will find in this package.
Choose a header from ‘headers’ directory, that has an extension corresponding to your encrypted file, i.e.:
Wait for your key to be generated. It may take from a few seconds up to a few minutes.
The key will be dumped to the file: vindows_key.txt
When you have your key generated, copy it from the file vindows_key.txt and use VindowsDecryptor to recover the rest of your files.
Wait for your files to be decrypted.
Tech support scammers have upped their game by evolving their tactics. Random cold calls yield little results compared to more aggressive and customized attacks. In fact getting into this business from scratch is not difficult at all thanks to affiliate and marketing channels, not to mention third party APIs and panels. Indeed, tech support scams as a service is a thing now and there’s much money to be made.
With the adoption of ransomware, this means that it’s no longer only the elderly and unsavvy users that are likely to get defrauded. Anybody who inadvertently installs a malicious program (often times a PUP), may be the scammers’ next victim.
Malwarebytes Anti-Malware customers are protected against the Vindows locker which we detect as Ransom.FileCryptor.