September 16, 2013
'Ransomware' in the browser

It seems our ransomware friends have decided to go on an easier path. Instead of having to infect machines they now just hijack the browser. This is done via advertisements. Where you would normally get an exploit kit to drop the ransomware on the machine it is now just a website. It does not load an exploit kit, no malware just a webpage.

Edit: It was pointed out to me that this is ‘Browlock’ as described here by F-Secure: http://www.f-secure.com/weblog/archives/00002590.html

They do some tricks to fool the average home user into thinking their PC might be locked. It doesn’t allow the tab / browser to just be closed, it shows some nag messages as well disable any clicking or context menu interaction. But just killing the process or holding the enter key when the nag messages start will solve the problem of the ‘locking’. There is no locking of files or locking the actual browser, just javascript snippets to convince the user.



I’ve found they are currently targeting 24 countries with unique templates for each of them. These ransomware pages accept Ukash, PaySafeCard orĀ  MoneyPak as payment options.

The page itself it far from interesting, it is the usual “You have committed a crime! You must pay X amount of currency to unlock all your PC”. The only nagging part about these browser ransomware pages are the little snippets to disallow you from leaving the page. It has some javascript to disable copy pasting and the right mouse button context menu:

document.ondragstart = test;
document.onselectstart = test;
document.oncontextmenu = test;
function test() {
return false;
}
document.oncontextmenu;
function catchControlKeys(event){
var code=event.keyCode ? event.keyCode : event.which ? event.which : null;
if (event.ctrlKey){
// Ctrl+U
if (code == 117) return false;
if (code == 85) return false;
// Ctrl+C
if (code == 99) return false;
if (code == 67) return false;
// Ctrl+A
if (code == 97) return false;
if (code == 65) return false;
}
}

The snippet below is inserted a couple hundred times to nag users when they try to close the browser or tab:

<iframe srcdoc=”&lt;script&gt;window.onbeforeunload = function(env){return &#39;< Automated translated setence saying your browser is locked and you should pay to unlock it >&#39;;}&lt;/script&gt;” src=”about:srcdoc”></iframe>


All the payment processing is done by posting the entered payment numbers to:

hxxp://r0849(dot)com/checkout.php

Manually visiting this page redirects you to another ransomeware page.

Everything runs on the same machine with IP: 91.220.131.108

This IP currently has the following domains pointing to it:

c4665.com
e6795.com
f3145.com
h6785.com
i4578.com
k3789.com
o4854.com
o7677.com
p8569.com
q3754.com
r2976.com

The URLs generated for every country look like this, they append the local police force website onto generated subdomains:

Europe & UK: hxxp://europol.europe.eu.id364371920-5491007860.o4854(dot)com/
Czech Republic: hxxp://policie.cz.id455880108-5968240394.h6785(dot)com/
Canada: hxxp://rcmp.gc.ca.id721724926-7498905753.r2976(dot)com/
United States: hxxp://fbi.gov.id387812644-6709187810.e6795(dot)com/
Germany: hxxp://polizei.de.id266579833-2035509219.i4578(dot)com/
Italy: hxxp://polizia-penitenziaria.it.id712283838-1811947395.p8569(dot)com/
Netherlands: hxxp://politie.nl.id522334837-5248227971.r2976(dot)com/
Austria: hxxp://polizei.gv.at.id177526156-2149008243.o4854(dot)com/
Denmark: hxxp://politi.dk.id509546739-3505227551.r2976(dot)com/
France: hxxp://europol.europe.eu.france.id823656192-4927072568.k3789(dot)com/
New Zealand: hxxp://police.govt.nz.id766652922-6891458535.o4854(dot)com/
Poland: hxxp://policja.pl.id806404301-7879340615.f3145(dot)com/
Spain: hxxp://policia.es.id958212377-8394545408.o4854(dot)com/
Sweden: hxxp://polisen.se.id818801983-2087236659.i4578(dot)com/
Turkey: hxxp://egm.gov.tr.id186914923-5094277828.o4854(dot)com/
Switzerland: hxxp://polizei.ch.id560198569-4965186385.o7677(dot)com/
Slovakia: hxxp://minv.sk.id883808210-3960124383.e6795(dot)com/
Norway: hxxp://politi.no.id784951924-4464159024.f3145(dot)com/
Luxembourg: hxxp://police.public.lu.id299505676-9305979884.r2976(dot)com/
Latvia: hxxp://vp.gov.lv.id735112767-9538979416.o7677(dot)com/
Hungary: hxxp://police.hu.id718033610-3265846964.c4665(dot)com/
Estonia: hxxp://politsei.ee.id429231001-7999764185.k3789(dot)com/
Belgium: hxxp://polfed-fedpol.be.id814998705-3053255312.e6795(dot)com/
Portugal: hxxp://psp.pt.id741374536-8129614885.s4583(dot)com/
Finland: hxxp://poliisi.fi.id252161139-4927948242.q3754(dot)com/
Australia: hxxp://afp.gov.au.id252161139-4927948242.q3754(dot)com/

Appending ‘/?result=success’ to these URLs will show you the screen of when a payment is successful, appending ‘/?result=fail’ will show you the screen when a wrong code is used. When a user ‘successfully’ unlocks the ‘ransomware’ by paying he/she will get a message saying their browser will be unlocked in 12 hours.

And here is a list of all the templates used for all the different countries they target:

Edit: Added Mexican and Irish template design thanks to Kafeine!
Edit 2: Added Portuguese, Finish and Australian design thanks to Kira 2.0!

Finland

image

Australia

image

United States

image

Portugal

image

Mexico

image

Ireland

image

Austria

image

Canada

image

Switzerland:

image

Czech Republic

image

Germany

image

Denmark

image

Estonia

image

Spain

image

Europe (Generic) & UK

image

France

image

Hungary

image

Italy

image

Luxembourg

image

Latvia

image

Netherlands

image

Norway

image

New Zealand

image

Poland

image

Sweden

image

Slovakia

image

Turkey

image

Blog comments powered by Disqus