Microsoft Support telephone scam – Computer ransom lockout

[MadScientist]

This has been going on for a few years but is getting more frequent. My neighbor, a retired cop, called me today and said his computer had been hacked. He got the call and let the caller connect remotely to his computer. He enacted what is known as SysKey encryption on the SAM registry hive.

His computer booted up to this.

He got a call back asking for money for a password but at least had the sense not to pay.

Thanks to Steve Schardein's article on Triplescomputers blog I was able to fix his computer.

http://triplescomputers.com/blog/casestudies/solution-this-is-microsoft-support-telephone-scam-computer-ransom-lockout/

I first tried a System Restore but there were no Restore points on his computer.

I created a bootable Ubuntu flash drive using a Universal USB Installer and was able to access his Windows\System32\Config directory.
http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/
You can use other bootable medias, i.e., Hirens. I chose Ubuntu because I just needed something to access his Windows files, and it supports a wireless keyboard and mouse.

Running a few av programs now to clean up any crap left behind and uninstalled TeamViewer that the scammer had installed on his computer.

 

[VirtualLarry]

Yeah, it's a shame that ordinary people are so gullible to believe cold-call scammers, when it involves computer technology. I've had it happen to a client of mine, and a relative of theirs.

 

[lxskllr]

Yeah, it's a shame that ordinary people are so gullible to believe cold-call scammers, when it involves computer technology. I've had it happen to a client of mine, and a relative of theirs.

It almost happened to my mother, but she's running Ubuntu, and it didn't work. The thought of the scammers trying to deal with my mother over the phone, and then getting brickwalled makes me smile. Now they know my pain :^D

 

[Red Squirrel]

I would love if I can get their remote program to work in Linux, it would be hilarious to have them login to a Linux VM. I did do it with Windows though, I dragged them through hell for over an hour. I had time to kill.

When they finally managed to connect (I was acting super stupid so he had to keep repeating everything) I dropped my internet speed to 50kbps so it was dog slow. I then pulled the plug on the VM and blamed it on the guy. "What did you do? My computer just rebooted!". Oh man the guy was getting so frustrated lol.



It's actually surprisingly hard to load up that much spyware in a VM. I don't understand how the people with 1000+ spyware programs even manage to get a machine in that state.

 

[John Connor]

LMAO!

Yeah, I would actually like to get a call like this, have him boot into my virtual machine and I'll then grab his IP address where I'll DDoS is butt. :twisted:

 

[John Connor]

This has been going on for a few years but is getting more frequent. My neighbor, a retired cop, called me today and said his computer had been hacked. He got the call and let the caller connect remotely to his computer. He enacted what is known as SysKey encryption on the SAM registry hive.

His computer booted up to this.

He got a call back asking for money for a password but at least had the sense not to pay.

Thanks to Steve Schardein's article on Triplescomputers blog I was able to fix his computer.

http://triplescomputers.com/blog/ca...pport-telephone-scam-computer-ransom-lockout/

I first tried a System Restore but there were no Restore points on his computer.

I created a bootable Ubuntu flash drive using a Universal USB Installer and was able to access his Windows\System32\Config directory.
http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

Running a few av programs now to clean up any crap left behind and uninstalled TeamViewer that the scammer had installed on his computer.

Why didn't you use the samrest.iso mentioned in that link toward the bottom?

 

[MadScientist]

Why didn't you use the samrest.iso mentioned in that link toward the bottom?

From the article:
"This solution only works if you have not already tried to reboot the PC subsequently. If you have, it may still work, but that is entirely dependent upon whether or not Windows created a new RegBack copy following a successful boot."

If copying the files SOFTWARE, SYSTEM, SAM, SECURITY, and DEFAULT from the RegBack folder to the Config folder did not work then I would have used the samreset.iso method next.

 

[LPCTech]

Hi im a random caller with a foreign accent claiming that I know stuff about your pc somehow.

Oh just log right on.

lol

 

[MadScientist]

Yeah, you would think that my neighbor, a retired cop, would have known that this was a scam, but I guess anyone can be had.

 

[Fardringle]

My dad is an electrical/broadcast engineer, and he still fell for the scam. Fortunately, he called me before he actually gave them any money, but he had already let them log in and mess up his system.

 

[TeknoBug]

This sounds somewhat similar to the CRA (Canadian Revenue Agency) scam that's going around, first they started sending emails and now are starting to show up at the doorstep of homes.

 

[pcgeek11]

This sounds somewhat similar to the CRA (Canadian Revenue Agency) scam that's going around, first they started sending emails and now are starting to show up at the doorstep of homes.

That could be very entertaining! I wish they would show up at my house.

 

[John Connor]

Too bad you Canadians don't have guns. Personally, here in the US I would love to have a so-called IRS official knock on my door. I'd invite his sorry ass in and BAM, BAM, BAM!!! Three taps with .380 hollow points.

I'd call it a home invasion. LOL!

 

[TeknoBug]

Too bad you Canadians don't have guns. Personally, here in the US I would love to have a so-called IRS official knock on my door. I'd invite his sorry ass in and BAM, BAM, BAM!!! Three taps with .380 hollow points.

I'd call it a home invasion. LOL!

We do, just some very strict law against handguns, we are allowed to have shotguns and hunting rifles though.

 

[PliotronX]

Thanks for posting this, I was also never aware of the SAM encryption business. I know I've seen this dialog before and thought it was odd the old school dialog on a Windows 8 machine. The user never mentioned speaking to somebody, probably too embarrassed. I want to say we ended up reinstalling Windows any way. Good to know there are options...

 

[John Connor]

We do, just some very strict law against handguns, we are allowed to have shotguns and hunting rifles though.

I heard even a flipping BB gun is regulated.

 

[PliotronX]

I heard even a flipping BB gun is regulated.

Hell these probably require a license and registration:

 

[PliotronX]

I would love if I can get their remote program to work in Linux, it would be hilarious to have them login to a Linux VM. I did do it with Windows though, I dragged them through hell for over an hour. I had time to kill.

When they finally managed to connect (I was acting super stupid so he had to keep repeating everything) I dropped my internet speed to 50kbps so it was dog slow. I then pulled the plug on the VM and blamed it on the guy. "What did you do? My computer just rebooted!". Oh man the guy was getting so frustrated lol.



It's actually surprisingly hard to load up that much spyware in a VM. I don't understand how the people with 1000+ spyware programs even manage to get a machine in that state.

Haha! Nice, I have a Windows ME VM prepared for when they call me... My coworker tried to get them to set up a remote session on their computer and they almost bit!