SOLUTION: “This Is Microsoft Support” Telephone Scam – Computer Ransom Lockout
Total Page:16
File Type:pdf, Size:1020Kb
SOLUTION: “This is Microsoft Support” telephone scam – Computer ransom lockout Posted on April 10, 2013 A trend of the past couple of years has been for scammers to contact computer owners directly via telephone in the United States in an effort to convince them that there is a problem with their PC and they’ll need to pay to have it fixed. In general, these people cannot fix anything, and instead they merely charge exorbitant fees for absolutely nothing. In other words, they scam you. The call generally goes something like this: 1. A foreigner with a thick Indian accent identifies himself as a member of Microsoft Support or similar. 2. He informs you that you have a number of critical problems with your PC and that you will need to have it fixed. 3. To convince you, he offers to connect remotely and pulls up your Event Log (eventvwr.msc). He then filters for Warnings, Errors, and Critical events and uses that as evidence that your PC will soon fail to work correctly if you do not pay him to correct it. The astute among you have probably already sensed that something here is seriously wrong, and it’s not your PC. It’s the fact that someone is calling you to tell you there is a problem with your computer. No one will ever do that. The only way they could possibly know there is a problem is by hacking or guessing. In this case, it’s mere guesswork, and it’s not even correct most of the time. The Event Log is supposed to log warnings and errors, and even on the healthiest of PCs there are plenty of Error Events that can be safely ignored, as they often don’t amount to anything. The important thing to remember is to never trust someone who calls you about a problem with your PC, and never, EVER let them connect remotely to your PC. If you do make the mistake of letting them connect, but then you happen to get cold feet and refuse to pay the $180+ they request via credit card, the next thing that happens isn’t pretty. This scammer proceeded to actually follow through on his promise of the PC “not working” if they don’t agree to have him fix it, and so in a few quick steps, behind the user’s back, he enacted what is known as SysKey encryption on the SAM registry hive. SysKey encryption is a littleknown feature of Windows which allows administrators to lock out access to the Security Accounts Manager (SAM) registry hive so that login specifics cannot be stolen and the PC cannot be accessed without knowing the proper credentials. The problem is, unlike other scams, there is no way around the problem; you can’t simply remove the password, as the actual SAM hive has been encrypted entirely by the process. If your Windows installation has had SysKey activated, you’ll see the following message: Startup Password This computer is configured to require a password in order to start up. Please enter the Startup Password below. The window which appears looks like this: The ONLY solution is to find a clean copy of the registry hives from before this occurred. This scammer knew this, however, and as such, he took an extra step to block any repair or recovery attempts: he deleted all System Restore points on the machine, which normally house backup copies of the registry hives. Unfortunately for him, I’m a much better technician. When the customer suspected foul play and decided to call me instead of proceeding, I immediately instructed them to power off the PC. Here’s how I fixed the problem without having to reinstall Windows. FIRST, ensure you don’t have any Restore Points to work with: 1. Check to ensure that the folder %SYSTEMROOT%\system32\config\RegBack exists. This is the folder which contains the last known good backup of the hives following a boot. If it exists, continue. If not, stop and consider contacting a technician instead. 2. Reboot the PC and repeatedly press F8 to reach the Advanced Startup Options menu. 3. Choose Repair your Computer from the menu. 4. Cancel the automatic repair attempt and instead instruct the system to perform a System Restore to a date prior to the incident occurring. If no Restore Points exist, your scammer intentionally removed them to prevent this from occurring. If this happens to you, follow these additional steps to resolve the problem: 1. POWER OFF your PC immediately. 2. Boot to external media of some sort (NOT your Windows installation) and navigate to the %SYSTEMROOT%\system32\config folder. 3. Backup the registry hives in this folder to a temporary location. The files are: A. SOFTWARE B. SYSTEM C. SAM D. SECURITY E. DEFAULT 4. Navigate to %SYSTEMROOT%\system32\config\RegBack as mentioned earlier. 5. Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%\system32\config folder. 6. Reboot the PC. This solution only works if you have not already tried to reboot the PC subsequently. If you have, it may still work, but that is entirely dependent upon whether or not Windows created a new RegBack copy following a successful boot. In the case of my customer, it worked, and they were back in Windows, just like it never happened. Nice try, scammer. You’ll have to try harder to beat me though. Addendum A (update 6/26/2015): Thanks to FUScammers for pointing out this more involved, alternate method of actually removing the SAM encryption. 1. Download this file and burn the .iso to a CD. 2. Boot to the CD on the affected system. 3. Follow the instructions to select the proper system drive and partition (NTFS is the partition type you are looking for). 4. Type the path to the registry files (it’s most likely Windows/system32/config). 5. Choose option 1 for Password reset (sam system security). 6. Choose option 2 for Syskey status & change. 7. Confirm that you wish to disable Syskey, then quit and confirm writing the new changes to the hive. 8. Reboot the PC and check. For more detailed instructions, check out this link (scroll down to “How to disable Syskey startup password”): http://computernetworkingnotes.com/xptipsandtrick/removeadministratorpassword.html In Windows 8, the GPT partition type makes the use of this utility impossible. However, you can still manually copy the hives to a supported filesystem (NTFS or FAT32), mount that filesystem instead, and follow the steps from there, then copy the hives back over the originals. I can confirm that this method does work and that even in Windows 8.1 recovery is possible using it. Donate to say "Thanks" if this post has helped save you time and money! This entry was posted in Case Studies, Malware and Security, Recovery by Steve Schardein. Bookmark the permalink [http://triplescomputers.com/blog/casestudies/solutionthisis microsoftsupporttelephonescamcomputerransomlockout/] . 199 THOUGHTS ON “SOLUTION: “THIS IS MICROSOFT SUPPORT” TELEPHONE SCAM – COMPUTER RANSOM LOCKOUT” Bryan on April 20, 2013 at 7:40 am said: Thank you for taking the time to discuss this scam. I have read several complaints posted at http://www.callercenter.com but I didn’t think it’s this complicated. One thing I know for sure, though, is that Microsoft never initiates a call. Greg on May 21, 2013 at 1:39 pm said: Thanks for this procedure! Fortunately, the RegBack files were intact and modified only a few days earlier. Booting into Linux, copying them back to the Config folder did the trick. After trying other measures, no other options were seemingly available. And YES, they trashed System restore. This scam occurred on a friends computer; however, he was not clear on just how they gained access to his system after walking him through various menus, etc., while on the phone. I still wonder if they have access to the system. Peter Browne on July 6, 2013 at 2:15 pm said: No RegBack – I now assume a new Windows must be installed? Even Renamed the SysKey.exe to SysKey.org – no difference. Still asks for a Password. Steve Schardein on July 6, 2013 at 2:58 pm said: Hey Peter, No restore points either? Renaming will not work as the problem is encryption of the SAM registry hive itself, which is required to boot into Windows. Del on July 12, 2013 at 8:43 pm said: Thanks for posting your solution. My friend was also a victim of this scam. Fortunately, she did have RegBack and I followed your example and got her computer backup and running. Saved us valuable time from reinstall. Thanks again. Del Lisa on July 24, 2013 at 10:11 pm said: This scam just happened to a family member of mine. Should they be concerned about identity theft and such or is this just a scam to get a credit card number and mess up the computer? Steve Schardein on July 24, 2013 at 10:14 pm said: Lisa, Unfortunately, there is no way to know for certain. Such unscrupulous individuals are likely just after quick money, but who is to say that once they’ve gotten control of your system, they haven’t found a way to transfer data to themselves or otherwise steal information? The best course of action is to change all passwords just to be safe. You can also alert your bank or credit card company to let them know to be on watch.