Ransomlock Throws Fake Blue Screen, Lures Victims into Tech Support Scam

RansomwareWhat would you do if your computer suddenly flashed a blue screen saying a problem occurred & you need to call the provided phone # for technical support?

You may be surprised to know that picking up the phone and dialing the number on the screen may not be the best choice.

Symantec researchers found a unique piece of ransomeware, Trojan.Ransomlock.AM (“Ransomlock”) that tricks users into calling scammers by displaying a phone number on a fake blue screen.

It’s a rather clever deviation from the extortion tactics used by other ransomware such as CryptoLocker, CryptoWall, Crowti, et al. They generate revenue by encrypting the data on infected machines & holding the files hostage until the victim pays a hefty fee in bitcoins.

Meanwhile, Trojan.Ransomlock.AM mixes ransomware tactics with those of the undeniably effective tech support scams that have been plaguing computer users for months.

Tech support scams typically start out with a random phone call from a scammer pretending to be from Microsoft, McAfee, etc., but, thanks to Trojan.Ransomlock.AM, victims now call the scammers.

How Ransomlock Works

Upon execution, Ransomlock will relay information about the infected system to its command & control (C&C) server. The data sent includes the hostname, IP address, screen resolution & random number. Using that information, the C&C sends back a fake “blue screen” image large enough to engulf the entire screen. Below is a copy of what the victim will see:

Trojan.Ransomlock.AM Lock Screen
Screenshot Credit: Symantec

A problem has been detected.

*** STOP: 0XFFFFYYYY (0Xfffffffff, 0Xuuuuuuuu, 0xUUUUUUUU, 0xUUUUUUUU).

Windows health is critical.
Please call technical support at:
(888) 653-7089
(toll free)

To avoid system failure.

It’s important to note that Trojan.Ransomlock.AM only “locks” your computer screen by displaying this image. Your data has not been encrypted.

How Trojan.Ransomlock.AM Spreads

Ransomlock often comes bundled with grayware like SearchProtect and SpeedUPMyPc, according to Symantec. Users may not see the blue screen until they restart their machine after installing the grayware applications.

What to Do When Ransomlock Strikes

If Ransomlock “locks” your computer, Symantec recommends that you:

  1. Press Ctrl+Alt+Del
  2. Open Task Manager
  3. Look for the ransomware entry on the Processes tab, which should be ‘diagnostics.exe’, and end the process.
  4. Go to the registry editor by clicking on Start -> Run -> Typing ‘regedit’ and pressing enter.
  5. Delete the following registry entry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Diagnostics” = “[PATH TO MALWARE]”
  6. Delete the file folder from the directory.

Additionally, users can remove Trojan.Ransomlock.AM by scanning their computer using Symantec’s antivirus / security products. (Note: You may need to complete steps 1-3 listed above first.)

Having Trouble Removing Ransomlock?

We provide malware / ransomware removal services in San Diego, CA. Give us a call at (619) 640-6444 if you need help removing Ransomlock from your computer.

Like this post? Follow us online by liking us on Facebook, following us on Twitter (@sdpcfix), or circling us on Google+.
  • Azra Raza

    I deleted the registry entry but how do I delete the file in step 6?

    • TCM

      Hi there!

      Send us a message and one of our techs will help you locate the files: http://thechipmerchant.com/contact/

      • Crud

        So I got this, and I restarted my computer, but I can’t find the ‘diagnostics.exe’ in Task Manager. It feels like a relief, but I’m afraid that it could be under another name or something… do I have to be worried? Also, there was a computer voice that (basically) said, “Don’t shop online, there is a virus on your computer,” do I have to be worried about that or no since It hasn’t popped up since? Thank you.

  • Gregory Wagner

    Yeah, these fuckers got me like two days ago. Fortunately enough i didn’t call the number because something about the BSOD looked a little off (not the average ordinary Screen of Death). I mean who do these guys hire to make these fake screens? A bunch of 14 year olds in a basement? XD. Anyway, it’s like some d-bag asking you to give them your ssn. Oldest trick in the book!

    • TCM

      Glad to hear that you didn’t fall for this scam! :)

  • Celia Horter

    That just happened to me. It looked real fishy when I saw I had to call a phone number for it to unlock. That sounded too much like a hijacker. Anyway. I pulled up the task manager and ended chrome. It works fine now. Do I have to do the other stuff you suggested? I have windows 10 and don’t know how to find the “run” so I can type the stuff in. Sorry. Not a computer talker.

    • Jazztech

      To open RUN by pressing windows key and the letter R (+R)

  • Lee Coffill

    I’m having this problem right now, only it’s slightly different. I’m using Windows 7 for reference.

    My “Blue Screen” has the same formatting as the one above, but had different details and a different number to call. I can’t seem to open the task manager, however, and the only thing I can do to get out of it is to shut down my pc. Youtube clearly works in the background however, and when I shut down my pc the image is the first thing to close.

    • TCM

      Are you still having problems with this? If so, please contact us: http://thechipmerchant.com/contact

      • Lee Coffill

        I’m actually in the process of reformatting my hard drive anyway, so that should also solve the issue

  • Mij

    The bsod I got had the phone number 18889919974 . if you look at bizrate.com you will see this number as there contact. Will call later and ask for bizrate. They are known for aware already. Will be in touch. The task master entry was windows.exe. the malware was c/users/ public/ public documents. Safe mode end processes if running then delete windows.exe then run malwarebytes and full scan virus scanner hope this helps

  • Lauren Mill

    I called the number but hung up shortly after hearing the person on the other end. Does that mean I’m affected by the virus?