Cybercrooks have put together a new scam that falls halfway between ransomware and old school browser lockup ruses.
The new class of “tech support lockers” rely on tricking users into installing either a fake PC optimiser or bogus Adobe Flash update. Once loaded the malware mimicks ransomware and locks users out of their computers. Unlike Locky, CryptoWall and their ilk it doesn’t actually encrypt files on compromised Windows PCs, however.
Jérôme Segura, a senior security researcher at Malwarebytes, said “tech support lockers" represent a class of malware more advanced than browser locks and fake anti-virus alerts of the pre-ransomware past.
"This is not a fake browser pop up that can easily be terminated by killing the application or restarting the PC,” Segura writes in a blog post. “No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will not get rid of it."
One strain of tech support locker employs a subtle piece of social engineering trickery by waiting until a users restarts their computer before confronting users with a fake Windows update screen. Users are told their computers can’t be restarted normally supposedly because of an “expired license key”. Thereafter a screen locks a user out of their computer in an attempt to trick marks into phoning a support number, staffed by scammers.
Victims are told that their problems can be resolved, for a fat fee of $250, Malwarebytes discovered.
Tech support lockout [Source: Malwarebytes]
The particular strain of malware - spotted and documented by independent White Hat security researcher “TheWack0lian” - marks a evolution in tech support scams, Malwarebytes’ Segura warns.
“In comparison to fake (but mostly harmless) browser alerts, these Windows lockers are a real pain to get rid of and until you do so, your computer is completely unusable.... This increased sophistication means that people can not simply rely on common sense or avoid the typical cold calls from 'Microsoft'. Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone,” he writes.
Miscreants have already begun to flog these types of lockers on Facebook, a sign that scams of this type have reached script kiddie level and are therefore likely to become commonplace in future. Previous scams along the same lines, although less sophisticated, include a BSOD ruse that surfaced last September.
“There is an entire ecosystem to distribute these tech support lockers, which includes bundling them into affiliate (Pay Per Install) applications,” Segura concludes.
More commentary on the scan can found in a post from security blogger David Bisson here.
A keyboard combination to disable the tech support locker malware by holding Ctrl+Shift while pressing the S key, was discovered by TheWack0lian. The same white hat discovered hardcoded values for the ‘product key’: “h7c9-7c67-jb” or “g6r-qrp6-h2” or “yt-mq-6w” which may offer a means to recover from infection without paying scammers, at least in the case of this one particular strain of malware.