Security News

Browserlock (July 25,2014)

By

Many types ransomware are making news now-a-days,one of them is browserlock. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Some forms of ransomware encrypt files on the system’s hard drive, while some may simply lock the system and display messages intended to coax the user into paying.

Unlike typical ransomware Browserlock is a HTML ransomware which executes javascript to create the effect of locking your browser. It also claims to lock up files till a ransom is paid. The attacker entices the user to visit the malicious website where the ransomware is hosted. For this ransomware to work the user should have the Javascript enabled. When the user visits the website the javascript code executes and it does not allow the user to close the browser or switch to a different document

Below is a Javascipt code found in the ransomware that disables certain keyboard functions:

The browser then displays a pop up saying ‘YOUR BROWSER IS BEING LOCKED UP FOR SAFETY PURPOSES.ALL THE DATA ON YOUR COMPUTER IS UNDER ARREST.’ If the user selects ‘Leave this page’ same message it showed to the user again. If the user selects to ‘Stay on this page’ he is not able to do anything on the page except to fill in the ransom voucher.

It also has a countdown timer which threatens the user to pay the ransom within a certain time period. When the countdown expires following pop up is displayed

After clicking ok the user still cannot leave the page.

If the user enters wrong Moneypak voucher number following pop up is displayed

When a correct voucher is entered followed pop up is displayed and a POST request is sent to the attacker’s website. The POST sends the user entered voucher number, amount and the IP of user’s machine along with other information. After clicking ok the user is still not able to close the browser

Browserlock ransomware request looks like this :

DELL Sonicwall threat research team has implemented following signature to prevent this attack.

  • SPY: 2216 Malformed-File html.Q.7
    • Security News
    The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
    Recommended Cyber Security Stories
    Satan Ransomware employs EternalBlue Exploit Kit
    Chinese Remote Access Trojan Taidoor
    Microsoft Security Bulletin Coverage for February 2024
    New Locky Ransomware Uses JScript files to avoid detection in the wild (Jul 27,2016)
    SMTP Smuggling
    Yet another Linux malware spotted in the wild (Feb 26, 2016)
    Stealc Malware Checks Everything — Even the Screen Resolution
    BURAN Ransomware spreading through Javascript