Malwarebytes rolls out free decryption tool for VindowsLocker ransomware victims

Edward Hudson By: Edward Hudson
2 minute read

Malwarebytes has released a free decryption tool to help victims of a recent ransomware attack recover their data from cyber criminals employing a tech support scam technique. The new ransomware variant called VindowsLocker surfaced last week. It works by connecting victims to phony Microsoft technicians to have their files encrypted using a Pastebin API.

Tech support scammers have been targeting unsuspecting internet users for quite a while now. A combination of social engineering and deception, the malicious tactic has evolved from cold calls to fake alerts and, most recently, screen locks. Tech support scammers have now added ransomware to their attack arsenal.

Jakub Kroustek, an AVG security researcher, first detected the VindowsLocker ransomware and named the threat based on the file extension .vindows it appends to all encrypted files. The VindowsLocker ransomware uses the AES encryption algorithm to lock files with the following extensions:

txt, doc, docx, xls, xlsx, ppt, pptx, odt, jpg, png, csv, sql, mdb, sln, php, asp, aspx, html, xml, psd

VindowsLocker mimics tech support scam

The ransomware employs a tactic typical of most tech support scams in that victims are asked to call a phone number provided and talk to a tech support personnel. In contrast, ransomware attacks in the past asked for payments and handled decryption keys using a Dark Web portal.

this not microsoft vindows support
we have locked your files with the zeus virus
do one thing and call level 5 microsoft support technician at 1-844-609-3192
you will files back for a one time charge of $349.99

Malwarebytes believes the scammers operate based out of India and mimic Microsoft’s tech support personnel. VindowsLocker also uses a seemingly legit Windows support page to give the false impression that the tech support is ready to help the victims. The support page asks for the victim’s email address and banking credentials to process the payment of $349.99 to unlock a computer. However, paying the ransom money doesn’t help users recover their files according to Malwarebytes. This is because VindowsLocker developers are now unable to automatically decrypt an infected computer due to some coding errors.

Malwarebytes explains that VindowsLocker ransomware coders have botched one of the API keys intended for use in short sessions. Consequently, the API key expires after a short period and the encrypted files go online, barring the VindowsLocker developers from providing the AES encryption keys to victims.

Read also:

For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patented Technologies (requires upgrade).


Next up

Update KB4470200 blocks problematic Insider build on Nuvoton PCs

Giles Ensor avatar. By: Giles Ensor
2 minute read

The cumulative update KB4470200 for Windows 10 Fast Ring has just launched in the November Patch Tuesday roll out, and it packs two important fixes. Grab […]

Continue Reading

Download KB4467697, KB4467703 to fix high CPU usage issues

Giles Ensor avatar. By: Giles Ensor
2 minute read

We continue our Patch Tuesday series. Two more updates for you in this article – KB4467697 and KB4467703, which both are an attempt to fix an issue […]

Continue Reading

Windows 10 KB4467708, KB4464455 fix black screen and camera issues

Giles Ensor avatar. By: Giles Ensor
3 minute read

In this article, we are going to be talking about two November 2018 Patch Tuesday updates – KB4467708 and KB4464455. Both these updates are quality improvement […]

Continue Reading