July 25, 2014

Many types ransomware are making news now-a-days,one of them is browserlock. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying.

Unlike typical ransomware Browserlock is a HTML ransomware which executes javascript to create the effect of locking your browser. It also claims to lock up files till a ransom is paid. The attacker entices the user to visit the malicious website where the ransomware is hosted. For this ransomware to work the user should have the Javascript enabled. When the user visits the website the javascript code executes and it does not allow the user to close the browser or switch to a different document

Below is a Javascipt code found in the ransomware that disables certain keyboard functions:

The browser then displays a pop up saying 'YOUR BROWSER IS BEING LOCKED UP FOR SAFETY PURPOSES.ALL THE DATA ON YOUR COMPUTER IS UNDER ARREST.' If the user selects 'Leave this page' same message it showed to the user again. If the user selects to 'Stay on this page' he is not able to do anything on the page except to fill in the ransom voucher.

It also has a countdown timer which threatens the user to pay the ransom within a certain time period. When the countdown expires following pop up is displayed

After clicking ok the user still cannot leave the page.

If the user enters wrong Moneypak voucher number following pop up is displayed

When a correct voucher is entered followed pop up is displayed and a POST request is sent to the attacker's website. The POST sends the user entered voucher number, amount and the IP of user's machine along with other information. After clicking ok the user is still not able to close the browser

Browserlock ransomware request looks like this :

DELL Sonicwall threat research team has implemented following signature to prevent this attack.

  • SPY: 2216 Malformed-File html.Q.7