Email scammers always seem to invent new ways of trickery to gain cash from their victims. We recently came across a case where the scammer reused some existing scripts to phish and scam – copy and paste style. With a bit of modification, the script works like ransomware, without the hassle of having to compile a portable executable. This screen locker ransomware variant locks the user’s screen and demand a ransom rather than the typical file encryption style ransomware. The ransom demanded in this case was in the form of Google Play Cards.The scam starts with an email. Recently, have seen an email spam campaign pretending to be an important update for your computer. The email “From:” address is: help@supportwindows followed by some digits.
In the first email sample, the hyperlink provided will directly download a batch file, WindowsUpdate.bat
In the second email sample, the hyperlink uses a short URL service that leads to a WordPress website. Should the victim click the hyperlink provided by the second email sample will redirect to the WordPress web page.
Either the computer boots up and startup1.vbs is triggered, or License2.vbs is executed from the key.rar archive. The victim is now tricked into thinking that their computer is ‘blocked’.
Locks user out of the screen