Ransomware – malicious files designed to lock an end-user out of their desktop while demanding lots of money in return – have been a bit of a plague this year, perhaps stealing the limelight from Ye Olde Fake AV as it attacks PCs with everything from random websites to infections targeting Skype users.
Someone had the novel idea to combine a piece of Ransomware with – horror of horrors – a survey scam, ensuring we’ll have to talk about surveys forevermore.
Here’s the file, claiming to be svchost.exe:
Running the file would have some bad consequences for an end-user, as they’ll quickly find themselves locked out of their desktop. The “window” that frames all the action (named, imaginatively enough, as “Locker” in Task Manager) serves up a website located at unlockyourdesktop(dot)info (registered with the WhoisGuard Protected service) which states the following message:
Click to Enlarge
“This page will immediately unlock and restore normal access upon your participation in an offer below. Please use valid information
Your desktop was locked. Complete an offer below to unlock your desktop”
Depending on region, the surveys / offers will be different. In the above example, we have “Mystery ASDA shoppers, iPhone 4S, ?500 Amazon vouchers, Apple Macbook Pro deals” and more besides. Every time one of the surveys or deals is completed, the person who set this up would make affiliate cash.
Generally Ransomware is a bit of a pain to remove, and creators take steps to ensure removal isn’t a walk in the park. Here, the creator was possibly so taken by the idea of combining Ransomware with Survey shenanigans that they forgot to lock things down as much as they could – crucially, they failed to deny access to Task Manager.
If faced with a lockout such as the above, regaining access to the desktop is simply a case of pressing CTRL + ALT + DEL to bring up Task Manager, navigating to the previously mentioned “Locker” file then pressing “End Task” (below is an example of what happens should the file be run while offline – the Locker file can’t access the Unlockyourdesktop site hosting the survey, resulting in a page not found):
Click to Enlarge
At that point, ending the task means full access should be restored like so:
Click to Enlarge
Hooray! If you have VIPRE Antivirus onboard, the file will be caught and detected as Trojan.Win32.Generic!BT. There’s not much of an attraction from a social engineering viewpoint when a file is called “svchost”, but that doesn’t mean people won’t run it. It’s clear this is a bit of a test-run (and possibly a low earner – typical Ransomware asks for $200 a time, not the much smaller amounts made via survey completion) so don’t be surprised if it comes back a few weeks down the line with a fancy desktop icon, a popular social networking bait and maybe, just maybe, a little harder to remove.
Christopher Boyd
Leave a reply
