E mail scammers at all times appear to invent new methods of trickery to achieve money from their victims. We not too long ago got here throughout a case the place the scammer reused some present scripts to phish and rip-off – copy and paste type. With a little bit of modification, the script works like ransomware, with out the trouble of getting to compile a conveyable executable. This display screen locker ransomware variant locks the consumer’s display screen and demand a ransom reasonably than the everyday file encryption type ransomware. The ransom demanded on this case was within the type of Google Play Playing cards.

Beneath is an summary of the method from the e-mail hyperlinks, file downloads, to how these information are put in and work within the sufferer’s pc.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 1. From Scripts to Scams

The rip-off begins with an e-mail. Just lately, have seen an e-mail spam marketing campaign pretending to be an essential replace on your pc. The e-mail “From:” handle is: [email protected] adopted by some digits.

Within the first e-mail pattern, the hyperlink offered will straight obtain a batch file, WindowsUpdate.bat

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 2. An e-mail written in French, and translated in English, asking the consumer to replace its pc.

Within the second e-mail pattern, the hyperlink makes use of a brief URL service that results in a WordPress web site.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 3. Emails implying {that a} Home windows OS License is expired.

Ought to the sufferer click on the hyperlink offered by the second e-mail pattern will redirect to the WordPress net web page under:

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 4. The WordPress web site posing as Home windows Assist.

Clicking the ‘Microsoft’ picture will obtain WindowsUpdate.bat and hitting the ‘Obtain Now’ button downloads the important thing.rar archive file. Ought to the sufferer determine to open the downloaded archive file, they are going to see two script information. Recordsdata named as License1.bat and License2.vbs.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 5. The keys to scamming

Within the first e-mail pattern, the hyperlink offered will obtain the WindowsUpdate.bat. The file within the archive, License1.bat is identical because the WindowsUpdate.bat. This can be a modified script from an outdated one which was uploaded in pastebin.com means again in 2017. The script will be seen right here

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 6. Aspect by facet comparability of the modified(Left Pane) and the unique(Proper Pane) script

The batch file serves because the set up file. Operating this command batch file will drop one other VBS and two batch information within the Person Startup Folder. These scripts will robotically be executed when the pc begins.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 7. Dropping information in Person Startup folder yields the auto-run approach

The file from archive License2.vbs and the created file startup1.vbs are the identical. This script will open a Microsoft Web Explorer browser on full display screen mode, hiding the handle, menu and standing bar and navigate to hxxp://whoawareness[.]com/?page_id=93.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 8. It’s like urgent F11 button within the keyboard. That’s the trick.

Both the pc boots up and startup1.vbs is triggered, or License2.vbs is executed from the important thing.rar archive. The sufferer is now tricked into considering that their pc is ‘blocked’.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 9. Works a bit like a ransom notice.

And a notification seems:

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 10. Message field seems, contact e-mail offered.

Additional down, the net web page asks you to buy a Google Play Retailer Card value 100 Euros to activate a brand new license on your pc and supplies a video on how you can scratch off this card. The scammers listing and supply a cellphone screenshot of shops the place you should purchase these playing cards.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 11. The way to scratch the bought card.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 12. Checklist of retail shops the place you should buy the Google Play Card.

Lastly, the scammers ask you to fill out the shape together with your private info along with the Google Play Card Code.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 13. Phishing and Rip-off

With a Google Play stability, you should purchase Apps, Books, Motion pictures, Music, Newsstand, and Subscriptions which can be provided in Google Play Retailer. The opposite remaining two information created within the Person Startup Folder:

startup1.bat – Since this script was reused and modified, it’s supposed to vary every web browsers dwelling web page for Microsoft Web Explorer and Mozilla Firefox by modifying the registry. Each of the URLs listed within the script had been already inaccessible on the time of research.

startup2.bat – Terminates Home windows Explorer.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 14. startup1.bat file provides new registries to vary the house web page following Web Browser Applications

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 15. startup2.bat file terminates the method Home windows Explorer.exe

As we had been going to publish this, we observed the WordPress website at whoawareness.com had modified.  It’s now utilizing scare techniques, particularly noticeable when your audio quantity is on excessive. It has a picture of the detected threats in your machine, the place the window construction is evidently from Home windows XP. Then there are two message bins, a pretend system alert, and the opposite a phishing kind that asks you to key in your username and password.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 16. One other lockscreen picture changed the touchdown website from the tinyurl hosted redirection.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Determine 17. The alarming audio sound with voice over informing that your machine is contaminated

Mitigation and Clear Up Procedures

Observe the steps under to scrub up the method operating, all dropped information, and any modified registry entries.

1.  Open Activity Supervisor, lookup for the method ‘wscript.exe’, proper click on mouse button, choose ‘Finish Activity’

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

2.  Press F11 within the keyboard. This may exit the Full Display screen mode of the IE Browser, then shut the Browser.

3.  Go to Run command or press Home windows key + R Key on the identical time, sort ‘shell:startup’.  This may present the Person Startup folder. Delete the next information listed under:

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

4.  Open Registry Editor.

Discover the next keys of their respective location:

Lockscreen Ransomware Phishing Leads to Google Play Scam Card
Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Delete these keys and subkeys tied to it.

Discover the next key of their respective location:

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

You may change the worth of the important thing Begin Web page out of your authentic dwelling web page or just delete this subkey

5.  When you have Mozilla Firefox browser put in in your system, navigate to the folder location under and open the pref.js file in a Textual content Editor.

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Within the Textual content Editor lookup this line and delete it, then save the file:

Lockscreen Ransomware Phishing Leads to Google Play Scam Card

Bear in mind, updates on your pc by no means actually arrive from e-mail notifications, they simply pop-up round your process bar ready so that you can click on, set up and restart. And in case your Microsoft Home windows Activation License is invalid, a textual content will seem on the right-hand backside of your desktop window. Merely keep away from or ignore these amateurish unsolicited emails that warn you that you simply want an replace.

IOCs

URLS:

hxxp://whoawareness[.]com
hxxp://tinyurl[.]com/whoawareness
hxxp://whoawareness[.]com/?page_id=93
hxxp://whoawareness[.]com/WindowsUpdate.bat
hxxp://whoawareness[.]com/?smd_process_download=1&download_id=82

Recordsdata/Scripts:

FileName: key.rar
MD5: fb2efa0a781d7911556737768814f4ee
SHA1: 2ddb6a50937364386ddeffcf5bd2dfb53cf49d5

FileName: License2.vbs / startup1.vbs
MD5: 3df65471e9741d55084780b92719834f
SHA1: d32b802d542138ddb5f812d06077215dd82cbd98

FileName: License1.bat / WindowsUpdate.bat
MD5: 955bd1ee3b36e899fa441aaa29c7f985
SHA1: d5e30fbc7f9e7976be8c77682c0ae15fd08ad8dc

FileName: startup1.bat
MD5: f76e9acabae09d12c1221e56603c754d
SHA1: 094007daaa2854bf22f6fd2750caa33ce97fbcc3

FileName: startup2.bat
MD5: 2b7ff12f582c1137396461671dc229f7
SHA1: 9558fde1521e01f61fab82b51ce5be3162917e61