Ransomlock Throws Fake Blue Screen, Lures Victims into Tech Support Scam
What would you do if your computer suddenly flashed a blue screen saying a problem occurred & you need to call the provided phone # for technical support?
You may be surprised to know that picking up the phone and dialing the number on the screen may not be the best choice.
Symantec researchers found a unique piece of ransomeware, Trojan.Ransomlock.AM (“Ransomlock”) that tricks users into calling scammers by displaying a phone number on a fake blue screen.
It’s a rather clever deviation from the extortion tactics used by other ransomware such as CryptoLocker, CryptoWall, Crowti, et al. They generate revenue by encrypting the data on infected machines & holding the files hostage until the victim pays a hefty fee in bitcoins.
Meanwhile, Trojan.Ransomlock.AM mixes ransomware tactics with those of the undeniably effective tech support scams that have been plaguing computer users for months.
Tech support scams typically start out with a random phone call from a scammer pretending to be from Microsoft, McAfee, etc., but, thanks to Trojan.Ransomlock.AM, victims now call the scammers.
How Ransomlock Works
Upon execution, Ransomlock will relay information about the infected system to its command & control (C&C) server. The data sent includes the hostname, IP address, screen resolution & random number. Using that information, the C&C sends back a fake “blue screen” image large enough to engulf the entire screen. Below is a copy of what the victim will see:
Screenshot Credit: Symantec
A problem has been detected.
*** STOP: 0XFFFFYYYY (0Xfffffffff, 0Xuuuuuuuu, 0xUUUUUUUU, 0xUUUUUUUU).
Windows health is critical.
Please call technical support at:
To avoid system failure.
It’s important to note that Trojan.Ransomlock.AM only “locks” your computer screen by displaying this image. Your data has not been encrypted.
How Trojan.Ransomlock.AM Spreads
Ransomlock often comes bundled with grayware like SearchProtect and SpeedUPMyPc, according to Symantec. Users may not see the blue screen until they restart their machine after installing the grayware applications.
What to Do When Ransomlock Strikes
If Ransomlock “locks” your computer, Symantec recommends that you:
- Press Ctrl+Alt+Del
- Open Task Manager
- Look for the ransomware entry on the Processes tab, which should be ‘diagnostics.exe’, and end the process.
- Go to the registry editor by clicking on Start -> Run -> Typing ‘regedit’ and pressing enter.
- Delete the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Diagnostics” = “[PATH TO MALWARE]”
- Delete the file folder from the directory.
Additionally, users can remove Trojan.Ransomlock.AM by scanning their computer using Symantec’s antivirus / security products. (Note: You may need to complete steps 1-3 listed above first.)
Having Trouble Removing Ransomlock?
We provide malware / ransomware removal services in San Diego, CA. Give us a call at (619) 640-6444 if you need help removing Ransomlock from your computer.