VindowsLocker

VindowsLocker targets Windows OS and its current method of distribution is unknown. This variant is unique in that it employs tactics similar to those used in tech support scams. Once a system is infected, VindowsLocker encrypts targeted files using AES and appends .vindows to the file names. It then displays a screen that instructs the victim to call a “level 5 Microsoft support technician” using a specific phone number in order to pay the ransom and regain access to their files. This variant doesn’t use a web-based C2 server to store the encryption keys. Instead, it is hardcoded with two Pastebin API keys which eliminates the need to establish and host a server. If victims decide to call the phone number on the ransom note, they will reach a call center that is likely operating within India and pretending to be Microsoft support who will request remote access into the infected system. The ransom payment demand for VindowsLocker is $349.99.

  • Bleeping Computer provides more information about VindowsLocker here.
     
  • Malwarebytes provides a free decryption tool for VindowsLocker here.
One example of the VindowsLocker variant. Image Source: Bleeping Computer

One example of the VindowsLocker variant. Image Source: Bleeping Computer