Your Browser is (not) Locked


Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick - browser lockers.

Unlike traditional ransomware threats that lock the entire desktop, browser lockers only lock the web browser of an infected PC. Most other malware needs a user (or other malware) to manually run it. Browser lockers don’t need to be manually run, they don’t have a binary file and they are mostly written in JavaScript. The script runs in the web browser and its main purpose is to disable any form of action that can close the browser - such as clicking the close button and pressing certain shortcut keys (for example, Alt + F4). All attempts to close the browser will result in a warning message box, an example is shown in Figure 4.

Microsoft detects browser locker malware as Ransom:JS/Brolo and Ransom:JS/Krypterade. The graphs below show the number of encounters and countries affected by these threats in recent months.

Chart showing that the number of Ransom:JS/Brolo and Ransom:JS/Krypterade has increased since May 2014

Figure 1: The number of Ransom:JS/Brolo and Ransom:JS/Krypterade has increased since May 2014

 

Graph showing the ten countries most affected by browser locker malware

Figure 2: The ten countries most affected by browser locker malware

 

These threats run when a user is redirected to a malicious URL. Although a user might visit a clean domain or website, they can be redirected to a malicious URL instead via pop-up ads.

Once redirected to the browser locker landing page, a visible lock screen is displayed through the browser. At this point all attempts to close the browser are futile without the help of another application.

An example of a Ransom:JS/Brolo browser lock screen is shown below. The message differs from browser to browser, and can be region-specific:

Screenshot of the Ransom:JS/Brolo browser lock screen

   Figure 3: The Ransom:JS/Brolo browser lock screen

 

Screenshot of attempts to close a browser affected by Ransom:JS/Brolo will lead to a loop of message boxes

Figure 4: Attempts to close a browser affected by Ransom:JS/Brolo will lead to a loop of message boxes

 

Each browser locker may have a slightly different appearance, with changes to the images and messages. However, they usually try similar scare tactics:

  • Trying to look like they come from a local government security agency (Interpol, FBI, NSA).
  • Saying you violated or broke a law.
  • Asking you to pay a fine, usually in the form of prepaid cards.

Examples of the browser lock screens used by this type of threat are shown below:

Screenshot of another Ransom:JS/Brolo browser lock screen

Figure 5: Another Ransom:JS/Brolo browser lock screen

 

 

Screenshot of attempts to close a browser affected by Ransom:JS/Krypterade leads to a message box loop

Figure 6: Attempts to close a browser affected by Ransom:JS/Krypterade leads to a message box loop

 

As shown above, Ransom:JS/Krypterade masquerades as the official Java website. The ‘ransom’ in this case is the download and installation of another binary, which is a software bundler.

Despite their claims to the contrary, browser blockers do not:

  • Come from a government security agency.
  • Know whether you have broken any law.
  • Have your files for evidence.
  • Know whether your current browser is outdated or not.

As far as we have seen they cannot:

  • Encrypt your files.
  • Force you to install a particular software just to unlock your browser.
  • Require you to pay a fine to unlock your browser.

If your browser is locked by one of these threats you can unlock it using Task Manager to kill the browser process. On enterprise machines Task Manager might be blocked by group policy. You may need to contact your IT administrator for assistance. When you re-launch your browser, it may have an option to "restore session" because it closed unexpectedly. Do not click on "restore session" as it will still have a record of the browser locker URL.

The best protection from these threats is to make sure your web browser smart screen and pop-up blocker is turned on. You should also only download software from the official vendor’s website. Common applications such as Java and Flash usually have their own update notification to let you know when you need an update.

Microsoft security products, such as Microsoft Security Essentials, include detection for Ransom:JS/Brolo and Ransom:JS/Krypterade. To help stay protected, keep your security software up-to date.

Alden Pornasdoro
MMPC

 

Related blog entries:


Comments (16)

  1. Mario [msft] says:

    "Don't Panic" should be the headline. Easier than contacting IT – sign-out of the PC…

    1. JAY says:

      WHEN THIS POP UP APPEARS AND LOCKS THE MESSAGE;
      SELECT CTL/ALT/DEL TO MAKE ‘TASK MANAGER’ AVAILABLE
      OPEN ‘TSK MGR’ – AT THE TOP OF THE APPS PAGE IS YOUR ‘BROWSER” NAME
      HIGHLIGHT IT AND SELECT ‘END TASK’ – THIS CLOSES YOUR BROWSER.
      OPEN YOUR BROWSER AGAIN BUT DO NOT ‘RESTORE’ PAGES. – YOUR PROBLEM IS FIXED.

  2. adwbust says:

    On android, scare web pages delivered by ads are very common. Sooner, these scare ads will also employ this lock technique. But most rickroll, joke sites use them already? In the browser prompt to leave web page, add check box or option to close tab or
    window regardless of what button you click? Or add action bar that says script that tries to lock (or modify) browser has been blocked. UAC should also prompt if a local PE or script is trying to modify IE (since it's part of windows). Does IE have option
    to prompt for every redirect or a built in and easily accessible script controls (like noscript)?

    Ads are best delivery mechanism of most threats on web. IE TPL should be made more reliable. TPLs have limited functionality compared to adblockplus.

  3. Ron says:

    I have had a few of these. If I can, I will just click on the START button and choose restart. If that doesn't work, I will turn off the power on my power bar. When you turn it back on and get the start-up screen telling you that WINDOWS shut down unexpectedly,
    simply let it START UP NORMALLY and voila!, your'e back in business.

  4. A Guy says:

    I just rapidly reload until I can get into Chrome's task manager, then kill the specific web page. Sometimes this can be really difficult though.

  5. John says:

    Traditionally, malware was delivered by downloading "…a binary file that needs to be executed before it can infect your PC". The 'solution' here was to run an "anti-executable" application which enforces a whitelist of software used by your own computer.
    Although still a useful component in any anti-malware set-up, there is now the problem of JavaScript using the browser to access and modify the registry so that malware can run without using an executable!

    There are applications which will either obstruct or log registry modifications. To find such software, there was, and might still be, a page at microsoft com which lists a number of vendors of antimalware [antivirus] software. Use this page to identify safe
    websites to visit to look for lists of other websites and resources. Eventually you will find website reputation and blacklisting services which will help you find other safe sources of information. Some will even have information on registry protection tools.

    Do not "Google" or "Bing" anything until you can identify safe and unsafe websites.

  6. adwbust says:

    will windows 10 have app isolation? so that if app is indeed malicious, closing it will undo all it's modification to system. or add a snapshot/virtual mode for admin and child/guest/limited user account – when you log-out/restart/shutdown all activity
    and changes done to system while logged-in with virtual mode enabled will be purged. windows 10 devs are you listening?!

  7. cool says:

    whatta col

  8. Ian Bell says:

    The mechanism(s) by which these sites are locking browsers should be considered vulnerabilities and fixed! This shows how insecure IE is compared to Chrome. I haven't seen a browser locker affect a Chrome user where they haven't been able to close it yet.
    You shouldn't have to use the task manager. MS, fix these client side DoS vulnerabilities!

  9. Pav Mart says:

    Just for Ian Bell. To let you know my wife just uninstalling Chrome because this locking window showed.

  10. Paul says:

    Why do the most common browsers even allow sites to take this type of control over the application. A site should not have the ability to prevent you from closing a browser or navigating away. Vendors should see this as a product defect and release fixes to prevent this type of action by malicious sites. It’s known the web is a dangerous place; let’s create browsers that are not as susceptible to those dangers.

  11. Barbara Horn says:

    I tried to order my checks on line toay and got a message showing pop ups were blocked on my browser and yhus I have not been able to go to the next step and order them . What can I do>

  12. Walt Reed says:

    This kind of web page malware has been going around for over 7 years, and IE is STILL totally vulnerable, proof positive that Microsoft, Google (with Chrome) and Mozilla (with Firefox) are NOT CAPABLE of creating a web browser that has a shred of security. Everyone wants us to move to the cloud yet the “cloud tools” (web browsers) are JUNK. The security experts at Microsoft should be totally embarrassed to show their faces in public.

  13. Joe says:

    WHY!!!!!! can’t windows stop this

  14. queen blogalina says:

    THANKS!!!

Skip to main content