THREAT REMOVAL

Security researchers recently came across a new ransomware piece posing as a Windows activation window – ‘Your Windows Licence has Expired’ ransomware. This ransomware, however, is slightly different than your average crypto virus. Instead of a ransom measured in Bitcoins, the threat asks the victim to call a toll-free number, +1-888-303-5121, so that access to the machine is restored. Currently, the ransomware targets primarily people in the United States.

‘Your Windows Licence has Expired’ Ransomware Imitates Windows 10 Activation Screen

Symantec Detects It as Trojan.Ransomlock.AT

This is what Symantec, the security firm that has already analyzed a sample of the threat, says:

We have seen the threat (freedownloadmanager.exe), which Symantec detects as Trojan.Ransomlock.AT, being distributed primarily in the United States. We have seen it used in limited attacks. It uses a prompt that mimics the look and feel of Microsoft’s trade dress.

In other words, users should beware a file named freedownloadmanager.exe. Even though the file may seem like a normal application, it may put the system at risk of malware.

Trojan.Ransomlock.AT Distribution Method: freedownloadmanager.exe

Researchers point out that the campaign may be small-scale but it’s definitely planned carefully and in advance. The ransomware’s primary method of distribution is via the above-mentioned .exe file. The user may install the application believing it’s a legitimate program. Instead of installing real software, the user gets ransomware. Once installed, the ransomware will show a screen arranged with the standard Windows 10 wallpaper and input field:

As visible, the Windows-like window “borrowed” by the ransomware states that:

Your Windows Licence has Expired , Please get a new one by calling on 1-888-303-5121 from Store Representative

Here we get to the most interesting part – the icons of two legitimate apps are situated above the message – LogMeIn and TeamViewer. Even though the purpose of the apps is yet to be established, they may serve the malware operators to log onto the remote machine. This may be done after the user has called the supposedly toll-free number provided, so that access is restored.

Interestingly, when Symantec researchers called the number, nobody answered. They even went further and researched the toll-free number online. What they came across is a large number of results advising users to pay a fee to rid their systems of the Windows-like screen. Those results are most likely put there via black hat SEO techniques, and shouldn’t be trusted. Like always, paying or calling cyber criminals is not recommended.

How to Get Rid of ‘Your Windows Licence has Expired’ Ransomware

Luckily, there is a very simple yet effective way to remove the ‘Your Windows Licence has Expired’ ransomware. Symantec and VMRay developer Chad Loeven have discovered that typing 8716098676542789 in the activation field will rid the system of the ransomware.

To avoid future ransomware infections, follow the tips below. And don’t forget to back up your data before it’s too late!

Tip #1: If you see that a ransomware is in the process of encrypting your files, shutdown your PC as quickly as possible from the Power button.

Tip #2: Don’t forget to BACKUP! Do regular backups of your important files! It is the best prevention method.

Tip#3: Do NOT format! In case you got your files decrypted, formatting your drives is not a good idea. There are cases where data recovery tools can recover some of the files. And there are specialists who deal with data recovery who could extract deleted files.

For more tips and useful ransomware information, visit our specialized forum topic!

If you haven’t backed up your data yet, get to know some of the best data backup software:

You should also consider installing a specific anti-ransomware solution. Also, don’t underestimate the importance of the mandatory anti-malware program!



Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter