Attention support scammers

You know the drill: a caller from India tries to convince you that your computer is broken and that you need to install some software. This scam is not new, but this form of the Social engineering is red-hot.

One form of tech support scam that Microsoft does not explicitly highlight in its analysis is the attack with Screenlocker ransomware. In this case, computer users do not receive a phone call or an email, but their access to the computer is blocked by extortion Trojans. Victims are now supposed to call an alleged Microsoft phone number to renew their supposedly expired license for their PC. The experts from G Data have taken a closer look at this type of fraud:

The Screenlocker Ransomware Scam

The malicious file always comes as an alleged installer for a product, for example, VMC Media Player or similar. However, the advertised program is not included in this installer at all! The malware family under investigation uses Smart Install Maker to generate the installer. The following analysis by G Data is based on the following file, which masqueraded as "Free Download Manager": SHA256: c72fb6e95375900999d14cd10541021a4db0a9065e387ed6b45266d80bb18d55

This installer drops a .bat and an .exe file after execution (depending on the variant, these have different names). The .exe file is entered as Autostart, both under Winlogon Shell and the usual Autostart entry: SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The .bat file

The .bat contains batch code that restarts the computer after some time delay.

The .exe file

This is the actual malicious code, the screenlocker. The .NET assembly file in our case study is called fatalerror.exe and required .NET 2.0 to run.

G Data writes that they have seen other samples that need .NET 4.6 to run. If these files encounter Windows XP (where the version cannot be installed) or a system with a lower .NET version, the executed reboot results in a blank screen that only shows the own Windows background image and the mouse cursor.

However, logging in or starting Windows Explorer is not possible in either case.

Affected users get a lockscreen in the Windows 10 design. If you do not use Windows 10, you might notice that something is wrong at this point, as G-Data writes.

Conclusion

Tech support scams are not a new phenomenon. At no time will you receive an honest-to-goodness call from Microsoft or Microsoft's partners asking you to pay for computer repair.

The increased emergence of Screenlocker ransomware was a further development in this context and can unsettle users even more. Especially since a scammer does not point out supposed problems on the computer here, but actively blocks access to the device. Therefore, ignoring the false warnings is unfortunately out of the question.

Tips and tricks

• Keep in mind that the designation "Microsoft Partner" is not an indication that a person is particularly trustworthy. The effort to register as an official Microsoft Partner is relatively low.
• Do not grant a support person remote access to your device unless you are absolutely certain that the person is providing a legitimate service and you are instructing them to do so.
• Resist curiosity and do not be lured by supposed support agents to websites with important information. These websites might be specially prepared to infect visitors with malware or phish data.
• Decline assistance by phone, website if you are to be charged unexpected fees. Do not disclose payment information (e.g., credit card information) or other personal information.
• Of course: Never give out passwords to other people!

Source: G Data