Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick – browser lockers.

Unlike traditional ransomware threats that lock the entire desktop, browser lockers only lock the web browser of an infected PC. Most other malware needs a user (or other malware) to manually run it. Browser lockers don’t need to be manually run, they don’t have a binary file and they are mostly written in JavaScript. The script runs in the web browser and its main purpose is to disable any form of action that can close the browser – such as clicking the close button and pressing certain shortcut keys (for example, Alt + F4). All attempts to close the browser will result in a warning message box, an example is shown in Figure 4.

Microsoft detects browser locker malware as Ransom:JS/Brolo and Ransom:JS/Krypterade. The graphs below show the number of encounters and countries affected by these threats in recent months.

Chart showing that the number of Ransom:JS/Brolo and Ransom:JS/Krypterade has increased since May 2014

Figure 1: The number of Ransom:JS/Brolo and Ransom:JS/Krypterade has increased since May 2014

 

Graph showing the ten countries most affected by browser locker malware

Figure 2: The ten countries most affected by browser locker malware

 

These threats run when a user is redirected to a malicious URL. Although a user might visit a clean domain or website, they can be redirected to a malicious URL instead via pop-up ads.

Once redirected to the browser locker landing page, a visible lock screen is displayed through the browser. At this point all attempts to close the browser are futile without the help of another application.

An example of a Ransom:JS/Brolo browser lock screen is shown below. The message differs from browser to browser, and can be region-specific:

Screenshot of the Ransom:JS/Brolo browser lock screen

Figure 3: The Ransom:JS/Brolo browser lock screen

 

Screenshot of attempts to close a browser affected by Ransom:JS/Brolo will lead to a loop of message boxes

Figure 4: Attempts to close a browser affected by Ransom:JS/Brolo will lead to a loop of message boxes

 

Each browser locker may have a slightly different appearance, with changes to the images and messages. However, they usually try similar scare tactics:

  • Trying to look like they come from a local government security agency (Interpol, FBI, NSA).
  • Saying you violated or broke a law.
  • Asking you to pay a fine, usually in the form of prepaid cards.

Examples of the browser lock screens used by this type of threat are shown below:

Screenshot of another Ransom:JS/Brolo browser lock screen

Figure 5: Another Ransom:JS/Brolo browser lock screen

 

 

Screenshot of attempts to close a browser affected by Ransom:JS/Krypterade leads to a message box loop

Figure 6: Attempts to close a browser affected by Ransom:JS/Krypterade leads to a message box loop

 

As shown above, Ransom:JS/Krypterade masquerades as the official Java website. The ‘ransom’ in this case is the download and installation of another binary, which is a software bundler.

Despite their claims to the contrary, browser blockers do not:

  • Come from a government security agency.
  • Know whether you have broken any law.
  • Have your files for evidence.
  • Know whether your current browser is outdated or not.

As far as we have seen they cannot:

  • Encrypt your files.
  • Force you to install a particular software just to unlock your browser.
  • Require you to pay a fine to unlock your browser.

If your browser is locked by one of these threats you can unlock it using Task Manager to kill the browser process. On enterprise machines Task Manager might be blocked by group policy. You may need to contact your IT administrator for assistance. When you re-launch your browser, it may have an option to “restore session” because it closed unexpectedly. Do not click on “restore session” as it will still have a record of the browser locker URL.

The best protection from these threats is to make sure your web browser smart screen and pop-up blocker is turned on. You should also only download software from the official vendor’s website. Common applications such as Java and Flash usually have their own update notification to let you know when you need an update.

Microsoft security products, such as Microsoft Security Essentials, include detection for Ransom:JS/Brolo and Ransom:JS/Krypterade. To help stay protected, keep your security software up-to date.

Alden Pornasdoro

Related blog entries:

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.