Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick – browser lockers.
Microsoft detects browser locker malware as Ransom:JS/Brolo and Ransom:JS/Krypterade. The graphs below show the number of encounters and countries affected by these threats in recent months.
Figure 1: The number of Ransom:JS/Brolo and Ransom:JS/Krypterade has increased since May 2014
Figure 2: The ten countries most affected by browser locker malware
These threats run when a user is redirected to a malicious URL. Although a user might visit a clean domain or website, they can be redirected to a malicious URL instead via pop-up ads.
Once redirected to the browser locker landing page, a visible lock screen is displayed through the browser. At this point all attempts to close the browser are futile without the help of another application.
An example of a Ransom:JS/Brolo browser lock screen is shown below. The message differs from browser to browser, and can be region-specific:
Figure 3: The Ransom:JS/Brolo browser lock screen
Figure 4: Attempts to close a browser affected by Ransom:JS/Brolo will lead to a loop of message boxes
Each browser locker may have a slightly different appearance, with changes to the images and messages. However, they usually try similar scare tactics:
- Trying to look like they come from a local government security agency (Interpol, FBI, NSA).
- Saying you violated or broke a law.
- Asking you to pay a fine, usually in the form of prepaid cards.
Examples of the browser lock screens used by this type of threat are shown below:
Figure 5: Another Ransom:JS/Brolo browser lock screen
Figure 6: Attempts to close a browser affected by Ransom:JS/Krypterade leads to a message box loop
As shown above, Ransom:JS/Krypterade masquerades as the official Java website. The ‘ransom’ in this case is the download and installation of another binary, which is a software bundler.
Despite their claims to the contrary, browser blockers do not:
- Come from a government security agency.
- Know whether you have broken any law.
- Have your files for evidence.
- Know whether your current browser is outdated or not.
As far as we have seen they cannot:
- Encrypt your files.
- Force you to install a particular software just to unlock your browser.
- Require you to pay a fine to unlock your browser.
If your browser is locked by one of these threats you can unlock it using Task Manager to kill the browser process. On enterprise machines Task Manager might be blocked by group policy. You may need to contact your IT administrator for assistance. When you re-launch your browser, it may have an option to "restore session" because it closed unexpectedly. Do not click on "restore session" as it will still have a record of the browser locker URL.
The best protection from these threats is to make sure your web browser smart screen and pop-up blocker is turned on. You should also only download software from the official vendor’s website. Common applications such as Java and Flash usually have their own update notification to let you know when you need an update.
Microsoft security products, such as Microsoft Security Essentials, include detection for Ransom:JS/Brolo and Ransom:JS/Krypterade. To help stay protected, keep your security software up-to date.
Microsoft Malware Protection Center
Secure Hunter Anti -Malware