An Analysis of Modern Browser-based Ransomware

By Derek Leung

Introduction

In recent years, ransomware has grown into a significant threat to organizations and individuals alike. Ransomware has evolved in the way it works and the way it is distributed to more efficiently achieve its goal of coercing victims to pay a ransom. Recently, ransomware attackers have made the switch to browser-based methods. This allows attackers to achieve the same goal without the effort involved in writing malicious encryption software for multiple operating systems.

This blog will explore the methods used in purely browser-based ransomware attacks. This method of attack is less technical than traditional ransomware and relies on social engineering combined with simple Javascript browser trickery rather than implementing and distributing malicious code. In addition, an analysis of a recent sample of browser-based ransomware will be provided. Finally, the blog will try to provide some options for defending against browser-based ransomware attacks.

Hypothesis

The recent shift to browser-based ransomware reduces the technical effort required for ransomware attacks by reducing or eliminating the need to implement malicious encryption software.

Background

Ransomware is a form of malware which aims to coerce victims into paying a ransom. It achieves this goal by first encrypting data on the victim’s machine, then using psychological scare tactics to social engineer the victim into paying a ransom to get their data back. Common scare tactics include spoofing a government entity and making claims of finding child pornography and illegally downloaded files on the victim’s computer (Why Ransomware Works).

Recently, ransomware attacks have shifted to browser based infection methods using JavaScript. Some ransomware examples have skipped the system infection and data encryption entirely, and relied solely on JavaScript trickery and scare tactics in the browser to make the victim panic and pay a ransom before they realize the attack never actually encrypted any data (Pornasdoro). This is achieved by opening hundreds of the same tab with alerts, and disabling actions like right clicking with JavaScript to make it seem like the browser or computer has been locked.

Methodology

In order to simulate the most commonly used system configurations, VMWare Fusion 8 virtual machines were set up running the following:

  • Windows 10.
    • Mozilla Firefox (version 53.0 32-bit)
    • Google Chrome (version 58.0.3029.81)
    • Microsoft Internet Explorer (version 11.1066.14393.0)
  • Mac OS X “Sierra”
    • Apple Safari (version 10.0.2 (12602.3.12.0.1))
    • Mozilla Firefox (version 53.0 64-bit)
    • Google Chrome (version 0.2987.133 64-bit)

A static analysis of a ransomware sample (Browlock SHA256: 69c19665dfc016c1bf702e2199582bf3d4080ef544a13352d2bdc15ba51e1d16) was performed to determine the expected behavior of the sample. Afterward, a dynamic analysis of the sample was performed on the above configurations to determine the actual runtime behavior of the sample on the most common configurations.

Results

Static Analysis

Virustotal

1

2

Only 12/56 antiviruses detected Browlock. The few that do recognize it categorize it as ransomware, html, script etc., which is pretty accurate.

3

The first scan of this file on VirusTotal occurred on January 23rd, 2015, but there is no timestamp to indicate when the file may have been created. Since the file has no .js extension (probably on purpose), it’s recognized as an HTML file.

Code Walkthrough

4

We can see at first glance that this file represents a webpage with the title “YOUR BROWSER HAS BEEN LOCKED” and the javascript is embedded in <script> tags. We can also see that jQuery, a ubiquitous JavaScript library is included from the directory “us”.

5

Here we can see the a stylesheet is included, also from a directory called “us”. A safe assumption is that “us” is for United States. While this particular sample has the included sources hard coded, it hints that there are other directories containing stylesheets for other countries. This is likely used to determine which countries government entities to spoof in order to appear legitimate (ie. A user in Japan probably wouldn’t be fooled by a notice from the FBI).

6

The first actual JavaScript code that we see is a window onbeforeunload event (onbeforeunload documentation). This is used to display an alert when the document is unloaded. In this example, it is used to display an alert with the message “YOUR BROWSER HAS BEEN LOCKED. ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID” if the user tries to close the web page. We will see if this sample actually “detains” pc data, or if it’s just a psychological threat used to scare the victim.

7

8

The next code block of interest is where this sample seems to be disabling the default events of certain key combinations. It disables the events for the following keys:

 

F6 (117) – CTRL+F6 focuses on the address bar

U (85) – CTRL+U views the source code

Numpad 3 (99) – ???

C (67) – CTRL+C copies selection

Numpad 1 (97) – ???

A (65) – CTRL+A selects all

 

It looks like the intention here is to make it seem like the computer has been locked by disabling the events of common keys (keycodes, keyboard shortcuts ).

9

The next block of code makes the title of the webpage blink every second.

10

In the body of the document, there are 400 identical iframes. This is probably so if the user tries to close the page, it will seem like it won’t close, further making it seem like the computer or browser is locked. From the src attribute we see a “step=1” and we see the country code again.

11

Then, there’s the main message of the page which accuses the victim of violating laws and threatening legal action. It also claims that the victim’s computer has been locked and requests $450 in the form of a MoneyPak voucher to prevent legal action and to get access to their computer back.

12

It looks like the attackers also use the threat of knowing the victim’s location to try to scare the victim. In this sample, it looks like it’s just hard coded.

13

The next code block of interest is the form which accepts the MoneyPak voucher code. Inside the form is a <div> that seems to be a keypad for entering the MoneyPak voucher code(s). Whenever this <div> changes or on the onkeyup action, the digit() function is called with the input sent in as a parameter. The form calls the function check() when it’s submitted, with the action being the following URL: http://t46b47.com/processing.php?step=1. The submit button has a value of “STOP ARREST NOW”, which is likely another scare tactic to rush the victim into paying the ransom in fear of legal consequences before they have time to think it through.

14

Diving into the functions that are called by the form, digit() just sanitizes the input by removing anything that isn’t a digit (0-9).

15

The check function is quite lengthy. It loops through all the inputs to do some validation. First, it checks if the input only consists of numbers. If it is, it adds it to an array called vouchers. Otherwise, it sets the result boolean to false.

16

Then, it checks if the code is unique. If it isn’t, an alert is generated with the following message,  “YOUR PAYMENT INFORMATION IS NOT CORRECT. ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.”

It then checks to make sure 14 vouchers in total. The result boolean is changed to false otherwise and the following alert is generated, “YOU MUST ENTER DIFFERENT CODES! ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.”

17

If any of the validation checks failed, the following alert is generated, “YOUR PAYMENT INFORMATION IS NOT CORRECT ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.”

If all of the checks pass, it calls showImg() which just shows a loading image, then removes all of the 400 <iframes>. There is no code that actually verifies that the voucher code is a valid MoneyPak code with enough money on it.

Additionally, there is a footer which states that the browser will be unblocked within 3-12 hours of the money being put into the state’s account. There is no code in the file that actually handles any of this.

 

Dynamic Analysis

The resource files were not included in the sample of Browlock I found, so none of the css or images loaded while running the sample in any browsers. It also doesn’t properly prevent the user from closing the tab or browser.

 

Windows 10

Mozilla Firefox (version 53.0 32bit)

18

The Iframes just open as rectangles on the page.

19

20

Scrolling to the bottom of the page shows the messages we found in the static analysis.

21

When trying to close the tab, an alert opens asking if the user wants to leave the page. Clicking “Leave Page” successfully closes the tab.

 

Google Chrome (version 58.0.3029.81)

22

23

Google Chrome has the same behavior as Mozilla Firefox.

Microsoft Internet Explorer (version 11.1066.14393.0)

24

Internet Explorer doesn’t even parse the file and just displays it as plain text.

 

The Mac browsers had the same behavior as Chrome and Firefox on Windows 10.

Conclusion

After analyzing the code statically, we can make some conclusions. First, there is no code that actually locks the browser or encrypts any data whatsoever. Next, it doesn’t even truly validate the codes entered for payment to see if they’re valid MoneyPak codes, or if they’re even the correct amount. Finally, the threats made toward the victim are hardcoded. There is no legal action that is going to be taken against the victim because it’s a scam.

 

For the dynamic analysis, the fact that the attack crumbles when images and css files are missing confirms the conclusions made from the static analysis that the attack is purely psychological, and there is no actual data encryption going on.

 

From this information, it is possible to defeat this ransomware sample by simply killing the browser process, since it’s just JavaScript running in the browser. This is a scam and it just takes the codes enters, and probably uses the codes in the action URL on the form to enter the code to redeem the voucher. If there’s any actual valid codes, it takes the money, otherwise, nothing happens. Either way, the computer isn’t locked, and it isn’t going to be unlocked regardless of if the victim pays with valid vouchers, or just doesn’t pay at all.

 

My recommendation is to stay vigilant and make sure you know where a link is taking you before clicking on it. If you ever encounter an attack like this, take a moment to think rationally before falling victim to the scam.

 

 

 

 

Sources

Pornasdoro, A. (2014, December 17). Your Browser is (not) Locked. Retrieved February 13, 2017, from https://blogs.technet.microsoft.com/mmpc/2014/12/17/your-browser-is-not-locked/

 

Why Ransomware Works: The Psychology and Methods Used to Distribute, Infect, and Extort. (2016, June 16). Retrieved February 13, 2017, from https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/why-ransomware-works-psychology-and-methods-to-distribute-infect-and-extort

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s