Browser Ransomware tricks revealed

Jan Širmer 11 Dec 2013

Browser Ransomware tricks revealed

It's not surprising that scared people are the most vulnerable to attacker's traps, and there is no reason to think it will work differently with computer users. Using this psychology, cybercrooks show an unaware victim an alert page claiming to have found that banned pornography was viewed or stored on their computer. The message goes on to say their computer is blocked, all their data is encrypted, and they will be sent to court in 48 hours unless they pay a fine. This is basically how 'Ransomware' works - scare tactics with a convenient way to buy yourself out of the predicament at the end.

Ransomware page

When we look closer at the scam, we find that the Ransomware is focused only on the victim's browser and fortunately, not as they claim, on the data stored inside the victim's computer. Here are several points that work together to scare the victim:

  • The headline of the webpage: "FBI. ATTENTION! Your browser has been blocked...". This is the part of the attack that tries to scare visitors as much as possible.
  • The name of the page, "", tries to convince visitors they are on a legitimate website which belongs to the government.
  • A countdown timer starts on 48 hours and counts down the time before "legal steps" starts.

These points try to rush panicked victims into paying the requested money as soon as possible without time to think. But it's better to take a deep breath before reacting. You know you didn't watch the movies mentioned on the page, and of course, you didn't store illegal files. Do you really think that upon identifying a child pornographer, that the government will tell them to pay a small amount of money as a fine and let them go?

Ransomware's tricks revealed

When the victim visits a Ransomware site, 100 copies of the page named close.htm, are opened. These URLs are used to prevent the victim from closing the webpage or browser. It's effective because it works to convince victims that their browser and data are really locked and encrypted.

Fidler close

Other parts of the code disallow visitors to use the right click mouse button on the page, save the page, open the Source code of the page etc. All these small pieces work together for only for one purpose; to scare the unaware victim into paying the requested amount of money as soon as possible before they start thinking about the whole scenario.


How Ransomware behaves in in different browsers

In our analysis of Ransomware behavior in different browsers, we used the latest version of the browser and a version at least a year older to see what changed and how these browsers are vulnerable against this kind of attack. For testing purposes we choose Internet Explorer, Google Chrome, Mozilla Firefox, Opera, and Safari.

Internet explorer 11.0 and Internet Explorer 8.0

This Ransomeware attack works fully in both versions of IE; countdown timer is working, vouchers validator works correctly and it attempts to keep the victim from leaving the site.

Ransomware pageWhen the victim tries to leave the page, an alert message appears:

IE alertFortunately there are several methods to get out of this page. One works globally for every browser affected by this attack. Open Task Manager and kill the running browser process. The second way is less sophisticated, but effective. :) Remember the 100 copies of the page named close.htm? Just click 100 times on OK to kill all open instances of this page.

Safari (5.1.7.) and Mozilla Firefox ( 15.0 and 25.0)

The Safari and Firefox browsers have the same results.Safari modifyFF modify

Google Chrome (31.0.)

Ransomware doesn't work so well on the rest of browsers. When the victim visits a site on Chrome, everything seems similar; the countdown is running, the shortcuts and right mouse button are disallowed, the vouchers validator works, and when the victim tries to leave this page an alert message appears. But when the victim clicks to leave the page, the page is closed without any problem. In this way, Google Chrome helps their customers avoid being scammed.

Chrome modify

Opera version 10.0

In Opera, the Ransomware page doesn't work correctly; the counter is not running, the vouchers validator is not running, and no alert message appears when the victim tries to leave this page. When we tried to upgrade to newer versions (12.00 and 12.16) we found some changes. The counter works correctly, the validator stars working, included Javascript disallows use shortcuts and the right mouse button, and the alert message appears when the victim tries to leave this page. When the victim clicks on 'leave page' the page is closed without any problem.

Opera modify

Avast! Antivirus users are protected from visiting this Ransomware site, but every computer user can be affected by the brand new criminal tactics. In that case only common sense can help protect their data, money, and computers.

Avast's detections

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

Related articles

--> -->