By Derek Leung
In recent years, ransomware has grown into a significant threat to organizations and individuals alike. Ransomware has evolved in the way it works and the way it is distributed to more efficiently achieve its goal of coercing victims to pay a ransom. Recently, ransomware attackers have made the switch to browser-based methods. This allows attackers to achieve the same goal without the effort involved in writing malicious encryption software for multiple operating systems.
The recent shift to browser-based ransomware reduces the technical effort required for ransomware attacks by reducing or eliminating the need to implement malicious encryption software.
Ransomware is a form of malware which aims to coerce victims into paying a ransom. It achieves this goal by first encrypting data on the victim’s machine, then using psychological scare tactics to social engineer the victim into paying a ransom to get their data back. Common scare tactics include spoofing a government entity and making claims of finding child pornography and illegally downloaded files on the victim’s computer (Why Ransomware Works).
In order to simulate the most commonly used system configurations, VMWare Fusion 8 virtual machines were set up running the following:
- Windows 10.
- Mozilla Firefox (version 53.0 32-bit)
- Google Chrome (version 58.0.3029.81)
- Microsoft Internet Explorer (version 11.1066.14393.0)
- Mac OS X “Sierra”
- Apple Safari (version 10.0.2 (12602.3.12.0.1))
- Mozilla Firefox (version 53.0 64-bit)
- Google Chrome (version 0.2987.133 64-bit)
A static analysis of a ransomware sample (Browlock SHA256: 69c19665dfc016c1bf702e2199582bf3d4080ef544a13352d2bdc15ba51e1d16) was performed to determine the expected behavior of the sample. Afterward, a dynamic analysis of the sample was performed on the above configurations to determine the actual runtime behavior of the sample on the most common configurations.
Only 12/56 antiviruses detected Browlock. The few that do recognize it categorize it as ransomware, html, script etc., which is pretty accurate.
The first scan of this file on VirusTotal occurred on January 23rd, 2015, but there is no timestamp to indicate when the file may have been created. Since the file has no .js extension (probably on purpose), it’s recognized as an HTML file.
Here we can see the a stylesheet is included, also from a directory called “us”. A safe assumption is that “us” is for United States. While this particular sample has the included sources hard coded, it hints that there are other directories containing stylesheets for other countries. This is likely used to determine which countries government entities to spoof in order to appear legitimate (ie. A user in Japan probably wouldn’t be fooled by a notice from the FBI).
The next code block of interest is where this sample seems to be disabling the default events of certain key combinations. It disables the events for the following keys:
F6 (117) – CTRL+F6 focuses on the address bar
U (85) – CTRL+U views the source code
Numpad 3 (99) – ???
C (67) – CTRL+C copies selection
Numpad 1 (97) – ???
A (65) – CTRL+A selects all
The next block of code makes the title of the webpage blink every second.
In the body of the document, there are 400 identical iframes. This is probably so if the user tries to close the page, it will seem like it won’t close, further making it seem like the computer or browser is locked. From the src attribute we see a “step=1” and we see the country code again.
Then, there’s the main message of the page which accuses the victim of violating laws and threatening legal action. It also claims that the victim’s computer has been locked and requests $450 in the form of a MoneyPak voucher to prevent legal action and to get access to their computer back.
It looks like the attackers also use the threat of knowing the victim’s location to try to scare the victim. In this sample, it looks like it’s just hard coded.
The next code block of interest is the form which accepts the MoneyPak voucher code. Inside the form is a <div> that seems to be a keypad for entering the MoneyPak voucher code(s). Whenever this <div> changes or on the onkeyup action, the digit() function is called with the input sent in as a parameter. The form calls the function check() when it’s submitted, with the action being the following URL: http://t46b47.com/processing.php?step=1. The submit button has a value of “STOP ARREST NOW”, which is likely another scare tactic to rush the victim into paying the ransom in fear of legal consequences before they have time to think it through.
Diving into the functions that are called by the form, digit() just sanitizes the input by removing anything that isn’t a digit (0-9).
The check function is quite lengthy. It loops through all the inputs to do some validation. First, it checks if the input only consists of numbers. If it is, it adds it to an array called vouchers. Otherwise, it sets the result boolean to false.
Then, it checks if the code is unique. If it isn’t, an alert is generated with the following message, “YOUR PAYMENT INFORMATION IS NOT CORRECT. ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.”
It then checks to make sure 14 vouchers in total. The result boolean is changed to false otherwise and the following alert is generated, “YOU MUST ENTER DIFFERENT CODES! ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.”
If any of the validation checks failed, the following alert is generated, “YOUR PAYMENT INFORMATION IS NOT CORRECT ALL PC DATA WILL BE DETAINED AND CRIMINAL PROCEDURES WILL BE INITIATED AGAINST YOU IF THE FINE WILL NOT BE PAID.”
If all of the checks pass, it calls showImg() which just shows a loading image, then removes all of the 400 <iframes>. There is no code that actually verifies that the voucher code is a valid MoneyPak code with enough money on it.
Additionally, there is a footer which states that the browser will be unblocked within 3-12 hours of the money being put into the state’s account. There is no code in the file that actually handles any of this.
The resource files were not included in the sample of Browlock I found, so none of the css or images loaded while running the sample in any browsers. It also doesn’t properly prevent the user from closing the tab or browser.
Mozilla Firefox (version 53.0 32bit)
The Iframes just open as rectangles on the page.
Scrolling to the bottom of the page shows the messages we found in the static analysis.
When trying to close the tab, an alert opens asking if the user wants to leave the page. Clicking “Leave Page” successfully closes the tab.
Google Chrome (version 58.0.3029.81)
Google Chrome has the same behavior as Mozilla Firefox.
Microsoft Internet Explorer (version 11.1066.14393.0)
Internet Explorer doesn’t even parse the file and just displays it as plain text.
The Mac browsers had the same behavior as Chrome and Firefox on Windows 10.
After analyzing the code statically, we can make some conclusions. First, there is no code that actually locks the browser or encrypts any data whatsoever. Next, it doesn’t even truly validate the codes entered for payment to see if they’re valid MoneyPak codes, or if they’re even the correct amount. Finally, the threats made toward the victim are hardcoded. There is no legal action that is going to be taken against the victim because it’s a scam.
For the dynamic analysis, the fact that the attack crumbles when images and css files are missing confirms the conclusions made from the static analysis that the attack is purely psychological, and there is no actual data encryption going on.
My recommendation is to stay vigilant and make sure you know where a link is taking you before clicking on it. If you ever encounter an attack like this, take a moment to think rationally before falling victim to the scam.
Pornasdoro, A. (2014, December 17). Your Browser is (not) Locked. Retrieved February 13, 2017, from https://blogs.technet.microsoft.com/mmpc/2014/12/17/your-browser-is-not-locked/
Why Ransomware Works: The Psychology and Methods Used to Distribute, Infect, and Extort. (2016, June 16). Retrieved February 13, 2017, from https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/why-ransomware-works-psychology-and-methods-to-distribute-infect-and-extort