Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: "microsoft support" calls - now with ransomware SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"microsoft support" calls - now with ransomware

Most of us are familiar with the "microsoft support" call.  A phone call is received, the person states they are from "microsoft support" and they have been alerted that your machine is infected.  The person will assist you by having you install a remote desktop tool such as teamviewer or similar (we have seen many different versions).  

Previously they would install software that would bug you until you paid the "subscription fee".  As the father of a friend found out the other day, when he received a call.  They now install ransomware which will lock the person out of their computer until a fee has been been paid.  In this instance it was done quite early in the "support" call so even disconnecting when smelling a rat it was to late.  

The ransomware itself looks like it replaced some start up paramters to kick in the lockout rather than encrypting the drive or key elements of the machine.  However for most users that would be enough to deny access.  

So in the spirit of Cyber Security Awareness Month make this month one where you let your non-IT friends and family know two things.  Firstly, BACKUP YOUR STUFF.  Secondly, tell them "when you receve a call from "microsoft support", the correct response is to hang up.".    


Mark H


392 Posts
ISC Handler
Oct 2nd 2013
John Strand did a great job of freaking one of these guys out

2 Posts
Next time they call I have a throw away W7 virtual machine with a few mods ... this outta be fun.
See, we IT people can get even.. I have a honeypot machine.. sure come on in, poor things their hand is stuck.

52 Posts

Sign Up for Free or Log In to start participating in the conversation!