Monday, March 3, 2014

Browlock ransomware cases increasing



Browlock is (unfortunately) nothing new. It's a simple webpage that "locks" your browser and demands a certain amount (usually $/£/€ 100) to unlock it. You cannot exit out of the browser.

Browlock typically gets delivered via malvertising (which is the user clicking on a malicious ad). Read more about Browlock here:
Browlock Ransomware Malvertising Campaign

Anyways, it seems they're now also stepping up their game for Belgian (or Dutch-speaking) victims, as I recently stumbled upon the following:

Browser blocked by Browlock






















If we check the source of this webpage, we see the following iframe:



This suggests they're testing the waters in regards to Belgian users.

I have listed the most important points below, written in the most awful Dutch I have ever seen (Google Translate is clearly not the best translator out there for some languages):

U zijn onderworpen aan schending van de auteursrecht en de naburige rechten (Video, Muziek en Software) en onrechtmatig gebruik oftewel verspreid auteursrechtelijk beschermde content

U hebt bekeken of verspreiden verboden pornografische content

Onrechtmatige toegang is gestart vanaf uw computer zonder uw medeweten of toestemming, Uw PC kan besmet raken met malware

Om uw computer te ontgrendelen en naar andere juridische gevolgen te voorkomen, bent u verplicht om een release vergoeding van 100 EUR-te betalen via PAYSAFECARD (u moet aankopen PAYSAFECARD kaart, opwaarderen van 100 EUR en voer de code). U kunt aankopen de code in elke winkel of tankstation. PAYSAFECARD is beschikbaar in de winkels in het land.


When trying to exit the page:

Message in Internet Explorer. Oops :-)










In Firefox, I got no weird characters in the messagebox, but as indicated in the screenshot above - Internet Explorer wasn't exactly happy. Maybe it's due to the fact that their Dutch is terrible.

To unlock your browser, you need to pay €100. You can use any of these payment methods:

Payment methods by Browlock








Seems like quite a lot of Browlock (and in the past other ransomware) is hosted on this IP:
146.185.235.7 - IPvoid Result - VirusTotal information

WhoIs data:

WhoIs data, most probably fake



It seems the abuse address is: noc@webhosting-area.net
Somehow I doubt we will get a reply when sending to that address...




Prevention

  • First and foremost in these cases, install an extension that blocks (malicious) ads! 
    I suggest using Adblock Plus, compatible with most modern browsers.
  • An additional layer of protection in your browser (and a must nowadays) is NoScript (Firefox), ScriptSafe (Chrome) or NotScripts (Opera) to prevent automatic loading of malicious Javascripts.



Disinfection

First things first: do not ever pay! Not for Browlock, nor for other ransomware types.

Luckily, Browlock is very easy to counter: simply close your browser by killing the browser's process

When you encounter Browlock, open up Task Manager by pressing on your keyboard on:
CTRL + SHIFT + ESC, or pressing CTRL + ALT + DEL, then choosing to open Task Manager:

Start Task Manager


After Task Manager is opened, go to the "Processes" tab and kill your browser's process:

Internet Explorer - iexplore.exe
Google Chrome - chrome.exe
Mozilla Firefox - firefox.exe
Opera Software - opera.exe




Conclusion

Have you encountered Browlock? First thing to do is not panic - as you can easily remediate it.

Secondly, follow the prevention tips above to avoid Browlock.

Thirdly, if you encounter ransomware - Browlock or not: do not pay, ever! You will not get your money back and chances are you will still have the malware on your machine.

Lastly, as usual; keep your operating system, antivirus and browser up-to-date.