# Lockscreen Ransomware Phishing Leads To Google Play Card Scam **trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-** scam/ Loading... Blogs & Stories ## SpiderLabs Blog Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research. Email scammers always seem to invent new ways of trickery to gain cash from their victims. We recently came across a case where the scammer reused some existing scripts to phish and scam - copy and paste style. With a bit of modification, the script works like ransomware, without the hassle of having to compile a portable executable. This screen locker ransomware variant locks the user's screen and demand a ransom rather than the typical file encryption style ransomware. The ransom demanded in this case was in the form of Google Play Cards. ----- Below is an overview of the process from the email hyperlinks, file downloads, to how these files are installed and work in the victim’s computer. _Figure 1. From Scripts to Scams_ The scam starts with an email. Recently, have seen an email spam campaign pretending to be an important update for your computer. The email "From:" address is: help@supportwindows followed by some digits. In the first email sample, the hyperlink provided will directly download a batch file, **WindowsUpdate.bat** ----- _Figure 2. An email written in French, and translated in English, asking the user to update its_ _computer._ In the second email sample, the hyperlink uses a short URL service that leads to a WordPress website. _Figure 3. Emails implying that a Windows OS License is expired._ ----- Should the victim click the hyperlink provided by the second email sample will redirect to the WordPress web page below: _Figure 4. The WordPress website posing as Windows Support._ Clicking the ‘Microsoft’ image will download WindowsUpdate.bat and hitting the ‘Download Now’ button downloads the key.rar archive file. Should the victim decide to open the downloaded archive file, they will see two script files. Files named as License1.bat and **License2.vbs.** ----- _Figure 5. The keys to scamming_ In the first email sample, the hyperlink provided will download the WindowsUpdate.bat. The file in the archive, License1.bat is the same as the WindowsUpdate.bat. This is a modified script from an old one that was uploaded in pastebin.com way back in 2017. The [script can be viewed here](https://pastebin.com/e4nctHsV) _Figure 6. Side by side comparison of the modified(Left Pane) and the original(Right Pane)_ _script_ The batch file serves as the installation file. Running this command batch file will drop another VBS and two batch files in the User Startup Folder. These scripts will automatically be executed when the computer starts. ----- _Figure 7. Dropping files in User Startup folder yields the auto-run technique_ The file from archive License2.vbs and the created file startup1.vbs are the same. This script will open a Microsoft Internet Explorer browser on full screen mode, hiding the address, menu and status bar and navigate to hxxp://whoawareness[.]com/?page_id=93. _Figure 8. It is like pressing F11 button in the keyboard. That is the trick._ Either the computer boots up and startup1.vbs is triggered, or License2.vbs is executed from the key.rar archive. The victim is now tricked into thinking that their computer is ‘blocked’. ----- _Figure 9. Works a bit like a ransom note._ And a notification appears: _Figure 10. Message box appears, contact email provided._ Further down, the web page asks you to purchase a Google Play Store Card worth 100 Euros to activate a new license for your computer and provides a video on how to scratch off this card. The scammers list and provide a cellphone screenshot of stores where you can buy these cards. ----- _Figure 11. How to scratch the purchased card._ ----- _Figure 12. List of retail stores where you can purchase the Google Play Card._ Finally, the scammers ask you to fill out the form with your personal information together with the Google Play Card Code. ----- _Figure 13. Phishing and Scam_ With a Google Play balance, you can buy Apps, Books, Movies, Music, Newsstand, and Subscriptions that are offered in Google Play Store. The other remaining two files created in the User Startup Folder: **startup1.bat – Since this script was reused and modified, it is intended to change each** internet browsers home page for Microsoft Internet Explorer and Mozilla Firefox by modifying the registry. Both of the URLs listed in the script were already inaccessible at the time of analysis. **startup2.bat – Terminates Windows Explorer.** ----- _Figure 14. startup1.bat file adds new registries to change the home page following Internet_ _Browser Programs_ _Figure 15. startup2.bat file terminates the process Windows Explorer.exe_ As we were going to publish this, we noticed the WordPress site at whoawareness.com had changed. It is now using scare tactics, especially noticeable when your audio volume is on high. It has an image of the detected threats in your machine, where the window structure is evidently from Windows XP. Then there are two message boxes, a fake system alert, and the other a phishing form that asks you to key in your username and password. ----- _Figure 16. Another lockscreen image replaced the landing site from the tinyurl hosted_ _redirection._ _Figure 17. The alarming audio sound with voice over informing that your machine is infected_ **Mitigation and Clean Up Procedures** Follow the steps below to clean up the process running, all dropped files, and any modified registry entries. 1. Open Task Manager, lookup for the process ‘wscript.exe’, right click mouse button, select ‘End Task’ 2. Press F11 in the keyboard. This will exit the Full Screen mode of the IE Browser, then close the Browser. 3. Go to Run command or press Windows key + R Key at the same time, type ‘shell:startup’. This will show the User Startup folder. Delete the following files listed below: ----- 4. Open Registry Editor. Find the following keys in their respective location: Delete these keys and subkeys tied to it. Find the following key in their respective location: You can change the value of the key Start Page from your original home page or simply delete this subkey ----- 5. If you have Mozilla Firefox browser installed in your system, navigate to the folder location below and open the pref.js file in a Text Editor. In the Text Editor lookup this line and delete it, then save the file: Remember, updates for your computer never really arrive from email notifications, they just pop-up around your task bar waiting for you to click, install and restart. And if your Microsoft Windows Activation License is invalid, a text will appear on the right-hand bottom of your desktop window. Simply avoid or ignore these amateurish unsolicited emails that alert you that you need an update. ### IOCs **URLS:** hxxp://whoawareness[.]com hxxp://tinyurl[.]com/whoawareness hxxp://whoawareness[.]com/?page_id=93 hxxp://whoawareness[.]com/WindowsUpdate.bat hxxp://whoawareness[.]com/?smd_process_download=1&download_id=82 **Files/Scripts:** FileName: key.rar MD5: fb2efa0a781d7911556737768814f4ee SHA1: 2ddb6a50937364386ddeffcf5bd2dfb53cf49d5 FileName: License2.vbs / startup1.vbs MD5: 3df65471e9741d55084780b92719834f SHA1: d32b802d542138ddb5f812d06077215dd82cbd98 ----- FileName: License1.bat / WindowsUpdate.bat MD5: 955bd1ee3b36e899fa441aaa29c7f985 SHA1: d5e30fbc7f9e7976be8c77682c0ae15fd08ad8dc FileName: startup1.bat MD5: f76e9acabae09d12c1221e56603c754d SHA1: 094007daaa2854bf22f6fd2750caa33ce97fbcc3 FileName: startup2.bat MD5: 2b7ff12f582c1137396461671dc229f7 SHA1: 9558fde1521e01f61fab82b51ce5be3162917e61 -----