NTK Screenlocker
The NTK Screenlocker is a Trojan screen locker that was first observed on February 16, 2017. The NTK Screenlocker is very similar to other screen locker Trojans that had been observed in previous months. Although there is no evidence that the NTK Screenlocker is connected to threats released previously directly, it is very likely that the NTK Screenlocker uses code recycled from previously existing threats. At the moment, it is uncertain who is behind the NTK Screenlocker attack. However, it is clear that the NTK Screenlocker is being distributed using spam email attachments that use an exploit that targets a vulnerability in Microsoft Word and other software.
Another Threat Using the Anonymous Symbol
Samples of the NTK Screenlocker that have been recovered in the wild make it seems that the NTK Screenlocker uses messages in French. The NTK Screenlocker runs as 'Winban.exe' on the victim's computer, changing a key in the Windows Registry to ensure that it runs when Windows starts up automatically. The NTK Screenlocker blocks numerous Windows features that would allow computer users to skip an intrusive message, such as the Windows Task Manager, Command Prompt and Registry Editor. The victim is asked to contact an email address associated with the NTK Screenlocker and make a large ransom payment in exchange for the password needed to unlock the victim's computer.
The NTK Screenlocker displays a full-screen message that includes animation and the Guy Fawkes mask imagery. The NTK Screenlocker message reads as follows:
'You got pOwned by NTK
Ton PC est bloqué 🙂 Si tu veux pouvoir le réutiliser, suis les instructions ci-dessous.
1: Appuyez sur "Afficher coordonnées"
2: Envoyez un mail et mettre en objet : Code UTK
3: le vous enverrai le code contre une rançon
Afficher coordonnees'
Below is an English translation of the above message:
'You got pOwned by NTK
Your PC is blocked 🙂 If you want to be able to reuse it, follow the instructions below.
1: Press "Display coordinates"
2: Send an e-mail and put in object: UTK code
3: you will receive the code in exchange for a ransom
Display coordinates'
When the victim clicks on the button that reads 'Display Coordinates' (in French), a short message that includes an email address is displayed. Computer users are instructed to use a different device to carry out the payment. Fortunately, the NTK Screenlocker can be removed with the password '15s4e56dsjdhfy87,' which will stop the lock screen completely. After stopping the lock screen by entering the password, the following message will appear:
'Virus débloqué
Suivez les instructions pour pouvoir effacer le virus :
1. Appuyez sur Ctrl+Alt+Suppr
2. Ouvrir le gestionnaire des taches
3. Exécuter une nouvelle tache : explorer.exe Cliquer sur le bouton Windows de votre clavier 4. Cliquer sur le dossier Startup
5. Supprimer le fichier Winban.exe
6. Redémarrer l'ordinateur
Appuyez sur continuer pour utiliser votre PC.'
Which translated reads as follows:
'Unlock the Virus
Follow the instructions to clear the virus:
1. Press Ctrl + Alt + Delete
2. Open the task manager
3. Run a new task: explorer.exe Click on the Windows button on your keyboard
4. Click on the Startup folder
5. Delete the Winban.exe file
6. Restart the computer
Press continue to use your PC.'
Dealing with the NTK Screenlocker
Following the removal instructions will remove the NTK Screenlocker infection from the affected computer. However, PC security researchers strongly advise computer users to take steps to ensure that their machines are protected completely. Malware often strikes in conjunction with other infections, and if the NTK Screenlocker is present on a computer, it is very likely that other threats are present as well. Malware researchers strongly advise computer users to use a reliable, fully updated anti-malware program to ensure that not only the NTK Screenlocker is removed, but any other threats that have had been installed as well. Computer users also are advised to take precautions against the NTK Screenlocker, since it is possible that in the future con artists will update it to use a different password or add more advanced features, such as an encryption engine.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.