Decrypting Chimera ransomware

Insert Product Key: Y / N?

When you buy a shiny new PC sporting a copy of Windows, you’ll find it comes with a key for product activation. You’ll also probably need keys for everything else you buy further down the line. Reasons for registering could include customer support or simply keeping a program functional after a 30 day trial period.

Microsoft products have a very specific way of doing this, and it involves Product Identification Numbers (PID for short. Don’t confuse these with Process Identifiers). As per their website on the subject:

A PID is created after a product is successfully installed. PIDs are used by Microsoft Customer Service to help identify the product when customers engage Microsoft for support. A Product key is a unique combination of numbers and letters that is used during Microsoft software installation to "unlock" or open the product. If you do not enter the product key when you are prompted during the installation, the product may not open until you enter the product key.

If you’re registering a new PC for the first time, the key will probably be on a sticker on the base or side of the machine. If we’re talking software, Microsoft can explain where to find the key. Either way, you’ll work it out eventually.

With that in mind: Caveat emptor. We all see deals too good to be true from time to time, but picking up cheap copies of Windows 8 from a market stall somewhere doesn’t necessarily guarantee the keys are real. Having said that, if I DID buy a set of keys at a market or online and wondered if they were real, I’d simply try using them in whatever way they were meant to be used and take things from there. I definitely wouldn’t go entering them on random websites offering to check their validity, because I’d potentially be handing the keys to a third party.

We’ve seen a website which claims to offer a “PID checking” service. The site, located at

pidservice(dot)com

is rather sparse, simply asking visitors to select their Microsoft product then enter their key to see if it’s valid or not.

PID checker website

The site is registered anonymously to a .ua registrar, and there’s no way to know who you’re handing the keys over to. The site recognises if you mistype a key, or indeed enter a clearly fake one.

Invalid key

If you use certain aspects of a valid key, it’ll even tell you which characters Microsoft uses for their keys.

False character

Should you go one step beyond and enter a real key, there’s a delay which means they could in theory be checking the validity of the key. What happens to it after that, though, is anybody’s guess.

It’s also worth noting that the website is not encrypted – there’s no https taking place behind the scenes.

no https

There are many reasons why using websites not using https can go horribly wrong; sending product keys that you’ve purchased in the clear to a website is definitely something you should avoid doing.

We recommend not sending your keys to total strangers online for all of the reasons outlined above. If you’re concerned about a key you’ve purchased, try it out before doing anything else and take it back to the place you bought it (or contact the company producing the software you’re using) if there’s something amiss.

Christopher Boyd (Thanks to Pieter and Andrew for additional information)

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.