Malwarebytes and independent security researcher @TheWack0lian have released free decryptors for a new ransomware variant that appeared last week, which mimics a tech support scam and employs the Pastebin API to save decryption keys.

AVG security researcher Jakub Kroustek first spotted the ransomware, which he named VindowsLocker based on the file extension it added at the end of all encrypted files (.vindows).

Update 12/2/16: It turns out that this Ransomware appears to have been created by a group of people who prank tech support scammers.

Ransomware mimics tech support scam

The thing that stood out the most about this threat is that the ransomware makes use of tactics usually seen in tech support scams.

VindowsLocker asks infected users who had their files encrypted to call a phone number and talk to a call center operator, which is different from most ransomware families that employ a Dark Web portal to handle payment and decryption operations.

Usually, you'd see tech support scammers mimick ransomware lock screens to scare victims into paying the tech support fee, and not the other way around.

VindowsLocker takes a different approach and uses call center operators and the official Windows support page to give a false sense of legitimacy to the tech support operations provided to victims.

Paying the ransom won't help you recover your files

Crooks ask for $349.99 to unlock computers, and according to Malwarebytes, they won't bother retrieving your files after you make the payment.

The reason is because the VindowsLocker coders have messed up their code and have lost the ability to automatically retrieve the encryption key used for each user.

At the technical level, VindowsLocker is coded in C# and encrypts files with the AES encryption algorithm. The following file types are targeted for encryption:

txt, doc, docx, xls, xlsx, ppt, pptx, odt, jpg, png, csv, sql, mdb, sln, php, asp, aspx, html, xml, psd

Once files are encrypted, the following ransom note is displayed on the user's screen.

VindowsLocker ransom message
VindowsLocker ransom message (via Jakub Kroustek)
this not microsoft vindows support
we have locked your files with the zeus virus
do one thing and call level 5 microsoft support technician at
 you will files back for a one time charge of $349.99

Besides mimicking a tech support scam, VindowsLocker is also different from other ransomware families because it doesn't use a web-based C&C server to store the victims' encryption keys.

The ransomware comes hardcoded with two Pastebin API keys: api_dev_key and api_user_key.

VindowsLocker uses these two API keys to save the name of the infected computer and the random AES key used to lock the victim's files inside a Pastebin page.

A sample PasteBin page holding a user's encryption/decryption key
A sample PasteBin page holding a user's encryption/decryption key (via Malwarebytes)

"The author’s intention was to fetch the keys from Pastebin by logging in to their account and later selling them to the victims," the Malwarebytes team explains. "Using this smart technique, they wanted to avoid the trouble of establishing their own server."

Unfortunately, the VindowsLocker ransomware devs have misused one of the API keys, which was meant for usage for short user sessions.

This means that after a period of time, the API key expires, and the files stored to the VindowsLocker's author profile were published online under a "guest" entry.

Because of this, the VindowsLocker dev can't retrieve the AES encryption keys and help victims. Surprisingly, this hasn't stopped the crooks from going through with their criminal activity.

Call center operators try to fool users with Microsoft's support page

When victims call the tech support number, call center operators enter in a remote desktop session with the infected user's PC. The operators proceed to open the official Microsoft support page, and quickly paste a shortened URL in the address bar that opens a form (hosted on JotForm).

They use this form to collect the user's personal data. If the user doesn't catch this quick action, he might believe that he's still on the Microsoft site.

Malwarebytes claims these scammers are operating out of India and impersonating Microsoft tech support personnel.

TinyURL link leading to JotForm page
TinyURL link leading to JotForm page (via Malwarebytes)

Fortunately, there are two decrypters available, one from Malwarebytes security researchers Hasherezade and  Jérôme Segura, and one from @TheWack0lian.

The easiest one to use is the one from @TheWack0lian, which is only requires you to run it and click the "Decrypt" button.

@TheWack0lian VindowsLocker decryptor

The Malwarebytes decryptor is a little bit more complex to use, but there are detailed usage instructions available on the Malwarebytes blog, and an easy to follow YouTube video.


Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

Scammers Ride on Popular Vote411 Voter Info Site to Push Scareware Alerts

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message