Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Lockscreen Ransomware Phishing Leads To Google Play Card Scam

Email scammers always seem to invent new ways of trickery to gain cash from their victims. We recently came across a case where the scammer reused some existing scripts to phish and scam - copy and paste style. With a bit of modification, the script works like ransomware, without the hassle of having to compile a portable executable. This screen locker ransomware variant locks the user's screen and demand a ransom rather than the typical file encryption style ransomware. The ransom demanded in this case was in the form of Google Play Cards.

Below is an overview of the process from the email hyperlinks, file downloads, to how these files are installed and work in the victim’s computer.


Figure 1. From Scripts to Scams


The scam starts with an email. Recently, have seen an email spam campaign pretending to be an important update for your computer. The email "From:" address is: help@supportwindows followed by some digits.

In the first email sample, the hyperlink provided will directly download a batch file, WindowsUpdate.bat


Figure 2. An email written in French, and translated in English, asking the user to update its computer.


In the second email sample, the hyperlink uses a short URL service that leads to a WordPress website.


Figure 3. Emails implying that a Windows OS License is expired.


Should the victim click the hyperlink provided by the second email sample will redirect to the WordPress web page below:


Figure 4. The WordPress website posing as Windows Support.


Clicking the ‘Microsoft’ image will download WindowsUpdate.bat and hitting the ‘Download Now’ button downloads the key.rar archive file. Should the victim decide to open the downloaded archive file, they will see two script files. Files named as License1.bat and License2.vbs.


Figure 5. The keys to scamming


In the first email sample, the hyperlink provided will download the WindowsUpdate.bat. The file in the archive, License1.bat is the same as the WindowsUpdate.bat. This is a modified script from an old one that was uploaded in way back in 2017. The script can be viewed here


Figure 6. Side by side comparison of the modified(Left Pane) and the original(Right Pane) script


The batch file serves as the installation file. Running this command batch file will drop another VBS and two batch files in the User Startup Folder. These scripts will automatically be executed when the computer starts.


Figure 7. Dropping files in User Startup folder yields the auto-run technique


The file from archive License2.vbs and the created file startup1.vbs are the same. This script will open a Microsoft Internet Explorer browser on full screen mode, hiding the address, menu and status bar and navigate to hxxp://whoawareness[.]com/?page_id=93. 


Figure 8. It is like pressing F11 button in the keyboard. That is the trick.


Either the computer boots up and startup1.vbs is triggered, or License2.vbs is executed from the key.rar archive. The victim is now tricked into thinking that their computer is ‘blocked’.


Figure 9. Works a bit like a ransom note.


And a notification appears:


Figure 10. Message box appears, contact email provided.


Further down, the web page asks you to purchase a Google Play Store Card worth 100 Euros to activate a new license for your computer and provides a video on how to scratch off this card. The scammers list and provide a cellphone screenshot of stores where you can buy these cards.


Figure 11. How to scratch the purchased card.



Figure 12. List of retail stores where you can purchase the Google Play Card.


Finally, the scammers ask you to fill out the form with your personal information together with the Google Play Card Code.


Figure 13. Phishing and Scam


With a Google Play balance, you can buy Apps, Books, Movies, Music, Newsstand, and Subscriptions that are offered in Google Play Store. The other remaining two files created in the User Startup Folder:

startup1.bat – Since this script was reused and modified, it is intended to change each internet browsers home page for Microsoft Internet Explorer and Mozilla Firefox by modifying the registry. Both of the URLs listed in the script were already inaccessible at the time of analysis.

startup2.bat – Terminates Windows Explorer.



Figure 14. startup1.bat file adds new registries to change the home page following Internet Browser Programs



Figure 15. startup2.bat file terminates the process Windows Explorer.exe


As we were going to publish this, we noticed the WordPress site at had changed.  It is now using scare tactics, especially noticeable when your audio volume is on high. It has an image of the detected threats in your machine, where the window structure is evidently from Windows XP. Then there are two message boxes, a fake system alert, and the other a phishing form that asks you to key in your username and password.


Figure 16. Another lockscreen image replaced the landing site from the tinyurl hosted redirection.



Figure 17. The alarming audio sound with voice over informing that your machine is infected


Mitigation and Clean Up Procedures

Follow the steps below to clean up the process running, all dropped files, and any modified registry entries.

1.  Open Task Manager, lookup for the process ‘wscript.exe’, right click mouse button, select ‘End Task’


2.  Press F11 in the keyboard. This will exit the Full Screen mode of the IE Browser, then close the Browser.

3.  Go to Run command or press Windows key + R Key at the same time, type ‘shell:startup’.  This will show the User Startup folder. Delete the following files listed below:


4.  Open Registry Editor.

Find the following keys in their respective location:


Delete these keys and subkeys tied to it.

Find the following key in their respective location:


You can change the value of the key Start Page from your original home page or simply delete this subkey

5.  If you have Mozilla Firefox browser installed in your system, navigate to the folder location below and open the pref.js file in a Text Editor.


In the Text Editor lookup this line and delete it, then save the file:



Remember, updates for your computer never really arrive from email notifications, they just pop-up around your task bar waiting for you to click, install and restart. And if your Microsoft Windows Activation License is invalid, a text will appear on the right-hand bottom of your desktop window. Simply avoid or ignore these amateurish unsolicited emails that alert you that you need an update.






FileName: key.rar 
MD5: fb2efa0a781d7911556737768814f4ee    
SHA1: 2ddb6a50937364386ddeffcf5bd2dfb53cf49d5

FileName: License2.vbs / startup1.vbs        
MD5: 3df65471e9741d55084780b92719834f
SHA1: d32b802d542138ddb5f812d06077215dd82cbd98

FileName: License1.bat / WindowsUpdate.bat        
MD5: 955bd1ee3b36e899fa441aaa29c7f985    
SHA1: d5e30fbc7f9e7976be8c77682c0ae15fd08ad8dc

FileName: startup1.bat      
MD5: f76e9acabae09d12c1221e56603c754d    
SHA1: 094007daaa2854bf22f6fd2750caa33ce97fbcc3   

FileName: startup2.bat      
MD5: 2b7ff12f582c1137396461671dc229f7      
SHA1: 9558fde1521e01f61fab82b51ce5be3162917e61        

Latest SpiderLabs Blogs

Secure Access Service Edge: Another Multi-Tool for the SOC

Over the years, several security defense architectures have merged into a single solution. Endpoint detection tools can perform sophisticated detections and correlations that used to require a...

Read More

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More