Browlock is (unfortunately) nothing new. It's a simple webpage that "locks" your browser and demands a certain amount (usually $/£/€ 100) to unlock it. You cannot exit out of the browser.
Browlock typically gets delivered via malvertising (which is the user clicking on a malicious ad). Read more about Browlock here:
Browlock Ransomware Malvertising Campaign
Anyways, it seems they're now also stepping up their game for Belgian (or Dutch-speaking) victims, as I recently stumbled upon the following:
Browser blocked by Browlock |
If we check the source of this webpage, we see the following iframe:
This suggests they're testing the waters in regards to Belgian users.
I have listed the most important points below, written in the most awful Dutch I have ever seen (Google Translate is clearly not the best translator out there for some languages):
U zijn onderworpen aan schending van de auteursrecht en de naburige rechten (Video, Muziek en Software) en onrechtmatig gebruik oftewel verspreid auteursrechtelijk beschermde content
U hebt bekeken of verspreiden verboden pornografische content
Onrechtmatige toegang is gestart vanaf uw computer zonder uw medeweten of toestemming, Uw PC kan besmet raken met malware
Om uw computer te ontgrendelen en naar andere juridische gevolgen te voorkomen, bent u verplicht om een release vergoeding van 100 EUR-te betalen via PAYSAFECARD (u moet aankopen PAYSAFECARD kaart, opwaarderen van 100 EUR en voer de code). U kunt aankopen de code in elke winkel of tankstation. PAYSAFECARD is beschikbaar in de winkels in het land.
When trying to exit the page:
Message in Internet Explorer. Oops :-) |
In Firefox, I got no weird characters in the messagebox, but as indicated in the screenshot above - Internet Explorer wasn't exactly happy. Maybe it's due to the fact that their Dutch is terrible.
To unlock your browser, you need to pay €100. You can use any of these payment methods:
Payment methods by Browlock |
Seems like quite a lot of Browlock (and in the past other ransomware) is hosted on this IP:
146.185.235.7 - IPvoid Result - VirusTotal information
WhoIs data:
WhoIs data, most probably fake |
It seems the abuse address is: noc@webhosting-area.net
Somehow I doubt we will get a reply when sending to that address...
Prevention
- First and foremost in these cases, install an extension that blocks (malicious) ads!
I suggest using Adblock Plus, compatible with most modern browsers. - An additional layer of protection in your browser (and a must nowadays) is NoScript (Firefox), ScriptSafe (Chrome) or NotScripts (Opera) to prevent automatic loading of malicious Javascripts.
Disinfection
First things first: do not ever pay! Not for Browlock, nor for other ransomware types.
Luckily, Browlock is very easy to counter: simply close your browser by killing the browser's process.
When you encounter Browlock, open up Task Manager by pressing on your keyboard on:
CTRL + SHIFT + ESC, or pressing CTRL + ALT + DEL, then choosing to open Task Manager:
Start Task Manager |
After Task Manager is opened, go to the "Processes" tab and kill your browser's process:
Internet Explorer - iexplore.exe
Google Chrome - chrome.exe
Mozilla Firefox - firefox.exe
Opera Software - opera.exe
Conclusion
Have you encountered Browlock? First thing to do is not panic - as you can easily remediate it.
Secondly, follow the prevention tips above to avoid Browlock.
Thirdly, if you encounter ransomware - Browlock or not: do not pay, ever! You will not get your money back and chances are you will still have the malware on your machine.
Lastly, as usual; keep your operating system, antivirus and browser up-to-date.
When a ransomware infect your pc, you need shut down the pc, so some variants of this malware encripting your files, the only way to stopping the encription process is shut down the pc, then with a live cd or similar you can obtain the file infected.
ReplyDeleteGood post Bart!!!!
Good point Txerra! With encrypting ransomware - and if you're fast enough- you can indeed shut down the machine so most of your files will be saved.
DeleteThis is of course when you notice the encryption/ransomware is actually locking your files. Otherwise, you'll need to use PhotoRec for example to restore files (or have a good back-up)
Cheers!