Security

New strain of ransomware evades detection by AV apps

Learn about a new type of ransomware that has the potential to snare many victims - and it's not even malware.

Since you’re here at TechRepublic’s website, I’m betting you are familiar with ransomware, and how to avoid being conned by it. The trouble is there are millions of people who aren’t. That alone ensures ransomware will continue to cull people of their hard-earned money. To make matters worse, there’s a new version winding its way through the Internet. And, those in the know predict what’s being called HTML ransomware will be more successful than previous versions.  

HTML ransomware

I first learned about HTML ransomware from Jerome Segura, Senior Security Researcher at Malwarebytes, and his blog post, "FBI Ransomware Now Targeting Apple’s Mac OS X Users." Initially, I was suspicious; OS X is not vulnerable in the same way Windows operating systems are, so what’s up?

As I continued reading, I learned the only requirements for HTML ransomware to work are JavaScript must be enabled, and the victim’s web browser incorporates the “Recover browser session after a crash” feature, which is part and parcel to all major web browsers -- including Chrome, Firefox, Internet Explorer, and Safari.

Here’s what HTML ransomware has going for it:

  • Does not require installation.

  • Disabling JavaScript breaks many popular websites; so people aren’t willing to turn off JavaScript, something the bad guys are relying on.

  • AV applications, even with current malware signature sets, are of no use against HTML ransomware.

How it works

One way the scam starts is when an unlucky person selects a search result with a falsified link. Instead of the expected web page being presented, the victim’s web browser loads something similar to the following slide (courtesy of Jerome Seguro and Malwarebytes). 

Ransomware1.jpg

Again, you aren’t fooled, but perhaps less computer-savvy friends and relatives might be.

While the victim is coming to grips with the above screen, associated JavaScript code is loading copies of the same screen (150 typically) onto the browser. By creating a 150 iFrame loop, HTML ransomware gives the impression the computer is locked up. Ironically, if the victim is determined, leaving the web page, and revisiting it 150 times will remove the problem.

I doubt I’d even consider reloading the web browser that many times; my inclination would be to reboot the computer, but that doesn’t help either because HTML ransomware taps into the “Recover browser session after a crash” feature I mentioned earlier, bringing the same FBI screen back up.

It’s not malware

Something else that makes HTML ransomware unique: by most definitions, it’s not malware. It is a snippet of JavaScript code readily available on the Internet that digital extortionists use to fool victims by controlling what is visible in the browser window. No other computer function is affected, at least as of this writing, but Jerome mentioned the potential is there, especially for Windows-based computers.

It not being malware is why HTML ransomware is a great idea for the bad guys: simple to set up, easy to move to different domain names, and no concerns on how to install code onto computers. To see if bad guys agreed, I asked Jerome how many instances of HTML ransomware he has seen?

“This ransomware is quite active; bad guys are registering new domain names several times per day. While it is not malicious (as opposed to ransomware that infects your PC), it’s still scaring people.”

How to tell if it’s HTML ransomware

Web browsers lock up for all sorts of reasons, so I asked Jerome how we would know for sure, if HTML ransomware caused the lockup:

“The browser being locked may not be ransomware in all cases. I can think of many sites that use annoying JavaScripts to keep the user on the page (pop-ups that ask ‘are you sure you want to leave this page?’). HTML ransomware is characterized by the following:

  • Warning from the police

  • Fee to be paid using a voucher

  • Computer or browser locked

"If those three elements are in place, it’s HTML ransomware.”

How to get rid of HTML ransomware

Jerome did a thorough job of explaining how to remove HTML ransomware from Safari in his blog post, but missed explaining what those using other operating systems should do. I asked him what others should do:

“I recommend ending the web-browser process(es) after first having disabled JavaScript. Simply killing the web-browser process will recover the ransomware page and put you right back where you started.”

There is a possibility you may not have to worry about HTML ransomware if your antimalware provider is on top of the situation like Malwarebytes. Jerome explains:

“Malwarebytes has a large database of malicious sites that we constantly update. Our PRO users are protected against malicious websites as they pop up. This is due to our ability to blacklist entire IP ranges since we know they are only used for criminal purposes; any new website registered on those will be automatically blocked.”

Final thoughts

At first, I felt that HTML ransomware was not a big deal. But, it did not take long for me to realize darn near everything we do computer-wise involves the web browser. And, if the web browser appears to be locked up, it will seem like a huge deal.

Since this attack is easy to fix, it would be a shame to have those who do not understand what’s going on even for a second consider paying the ransom. So, please, let’s get the word out on HTML ransomware.

Once again, I owe a debt of gratitude to Rebecca Kline and Jerome Segura of Malwarebytes for helping me sort through the intricacies of HTML ransomware.



About

Information is my field...Writing is my passion...Coupling the two is my mission.

30 comments
nmshiywa
nmshiywa

Ladies and Gents,

My problem is different. What's the most effective way of getting rid of the shortcuts virus - that creates shortcuts of everything on your USB? I've tried everything incl Kapersky, AVG, Forefront, formatting,etc, but the virus won't go away! Plz help!

JLogan3o13
JLogan3o13

We use complete sandboxing of the browser, virtualizing all of the major players with ThinApp. I wonder if closing a virtualized instance of the browser would allow this kind of malware to live on between session.

michaewlewis
michaewlewis

Is it odd that part of me wants to see it in action? I'm almost ready to do a web search to find one of these sites.....

PhilippeV
PhilippeV

Any way there's a simply wayto get rif of this type of screen: Close the current tab in your browser and open a new tab. Even on smartphones you just have to press the switch button for a couple of seconds to see a list of open tabs and close/delete the one with the bad content.

And don't be fooled: even if it seems to come from an official government or judiciary agency, you will never receive these orders from them in your browser, you'll get a letter at home in your letter box, and you'll have to go to a specific address to resolve the issue or get more information. And you'll never have to pay anything directly on the internet : if something is to pay, the letter will show you a simple URL to visit but you'll have other contacts.

If you're in doubt, visit your local tax office or police station to ask what to do with it. And you'll always have time before paying (you can legally contest it). The police will instruct you where you have to pay something (the payment will be made in an official tax office, or local court and you'll get a receipt). As long as you've not seen any policeman bringing you to justice or informing you of your rights in their office, this online alarm is just a fake.

The same is true if you receive an online statement from your bank, or from your social security agency, saing your payments have been suspended. Or if your ISP seems to say that your internet access is suspended (but in that case, why are you reading this : you should not be even able to connect : just take your last billing from your ISP or network provider, you'll get a phone number for contacting the customer service, and you can request a confirmation postal mail of the billing or of your current account balance).

Dusterman
Dusterman

After several of these started showing up, it became obvious that this was something that removing the hard drive and mounting it in a "bench" machine and "going after" the bug was not working. 
We use Malwarebytes, Slimware, Bitdefender....... actually loading as many as the machine will tolerate at the time and "go after" the "bug" ! 

.
I decided to take a few hours and get the current info about these new "bugs" ..... to my surprise ....... our old friends over at Kaspersky had already came up with a simple [ I mean ......REALLY ......simple fix ] ....... Rescue 

.
Simply follow their directions and load up an old USB stick [ I used an old 2Gb that had been laying around ] and plug it into the machine and make sure that the machine "boots" from this stick and within a few minutes you are back up and running ......... ! ! ! 
.
NOW ........... important here ........ run several scans [ we use the online scans to supplement the machines installed and now updated anti-virus / malware ! ! 
.
Only one has come back ....... he admitted immediately returning to the site that infected the machine in the beginning .......grrrrrrrrrrrrrrr
.
Hope that this helps someone......... 
.
After all ....... Mike and others here have been a "lifesaver" for me in the past 
.
;-)
.
Mike 

slam5
slam5

And I wonder how can this vector of attack be eliminated?  Since I believe the recovery from lockup is part of the HTML spec, will it not take a bit of time to revise the spec?  Or is it a browser based thing that can be attacked that way?

slam5
slam5

And Steve Jobs think that by banishing Flash he will get rid of a big vector of malware; surprise, surprise.  HTML 5 has it too!  I know this isn't the only reason he got rid of Flash.   But its replacement HTML5 isn't foolproof either.  I think this will only be the first attack via HTML.  Sigh..

JCitizen
JCitizen

Malware has developed other interesting ways to trip up clueless users as well. Bad code can do a lot without tripping the UAC, or needing system permissions. These tactics can lead to vulnerability of even defense in depth scenarios; and the user could inadvertently trigger a chain of mistakes that would lead their PC wide open for conventional attack.


It has become very interesting to see these developments; as also is this article. Once again Michael you've kept us up - Thanks! Now if I can just figure out why Tech Republic's discussion portal acts more like an obstructionist HTML malware! X-(

dvroman
dvroman

I used Slimbrowser for many years, starting before Firefox was multi-tabbed. It defeats any automatic popups or popunders by default. I quit using that browser because they weren't keeping up with the wars.

l_creech
l_creech

I haven't seen the HTML version of this yet (and certainly appreciate the heads up), but currently have 2 systems with installed versions that encrypted the files. Thankfully one of these has good pre-infection backups, and the other only uses the system for web-surfing and doesn't have anything they care about on it.. I wish more people did backups, especially since new variants aren't able to be decoded by the tools available from Panda, Emsi, or Kapersky.

Next steps for me are to wipe the drives and re-image the systems.

slam5
slam5

It just never cease to amaze me what bad guys will do to get your $$.  One thing that I use to prevent this on Firefox is to use noscript addon.  I wonder if these malware will work on Safari on the iPad/iPhone.  Can you disable scripting in iOS?

mystic100
mystic100

Firefox with the NoScript add-on enabled would not allow the page to load any javascript (unless you enable it for the page).  This would effectively prevent the browser block from occurring.

CTaylor.ca
CTaylor.ca

Would it work to just unplug from the Internet, let the browser load and give the error about not finding the page, and then exit the browser?

maxstr
maxstr

We got one of these things on a domain workstation (Win7).

It had all the same features, ("Homeland Security", MoneyPak payment, locked computer), but CTRL-ALT-DEL did not work, and it had also taken a photo of the user with the built-in webcam and displayed it in the ransom. 

I looked through our web filter logs, and found it had downloaded multiple .jar files and some other blobs of code.

It wasn't detected by the web filter, packet inspection appliance, or the desktop A/V.

Michael Kassner
Michael Kassner

@JLogan3o13 

Great question,

If I understand VM correctly, closing the instance would be the same as stopping the executable. And, the extra iFrames will disappear. I'll ask Jerome about this, see if he has an opinion. 

Michael Kassner
Michael Kassner

@michaewlewis 

Not really, Michael. In fact you mentioning it makes me feel a bit better as I had the same kind of curious thought

Michael Kassner
Michael Kassner

@PhilippeV 

I have wondered about closing the current tab. I have not had the pleasure of HTML ransomware, so have no actual experience. I'm going to ask Jerome what he thinks, as he can test this directly. Thanks for bringing it up. 

Michael Kassner
Michael Kassner

@Dusterman 

Which type of ransomware did you run across? It sounds like you used a live recovery OS on your USB key.

Michael Kassner
Michael Kassner

@JCitizen 

You are welcome, J

I am fairly certain we have not seen the last of "interesting" [sic] from the bad guys.

Michael Kassner
Michael Kassner

@dvroman 

Oddly enough, I have not heard of Slimbrowser until now. I will check it out. Thank you.

slam5
slam5

You can do it but it is even less convenient that noscript on firefox.  There is no per-site script blocking.

SgtPappy
SgtPappy

@slam5 It never ceases to amaze me that end users fall for this stuff (those that actually pay the ransom to make it worth the bad guys time).  I guess that is a good thing...it keeps a roof over my head, food in my belly, and ammo in my guns.

Michael Kassner
Michael Kassner

@CTaylor.ca 

Good question. I think it would still load as there are the stored iFrames. To be sure I will pass your questions along to Jerome, and let you know as soon as he responds. 

Michael Kassner
Michael Kassner

@maxstr 

Thanks for sharing your experience. How did you get rid of it? I am assuming the one you dealt with was of the installed variety. 

Dusterman
Dusterman

@Michael Kassner @Dusterman 
.

IT was this type of ransomeware that is being discussed here.

As I stated earlier ..... and no disrespect to Jerome or Malwarebytes ...... I took the hard drive out and put it in a bench machine as a slave and went after it with everything at hand including Malwarebytes..... nothing was able to find, remove and repair the drive .
.
I like and use Malwarebytes daily ..... but this time they just didn't have the answer :-(
.
After [2] days of this newer version of the "bug"..... I finally gave up and searched the net and found the answer with the Kaspersky rescue USB fix. This "fix" is primarily for this exact problem from what I see and read.
.
BTW ....... F8 was not working to eliminate the item at start up either.
.
The screen would fill almost immediately and holding control/alt/del during start up would not get me anywhere either! 
.
Knowing this guy ........ he will probably be back again with the same "Stuff" ........ ;-)
.
FYI ....... for the other Michael W. Lewis ....... he was at a porn site ......
.
Another FYI ....... this site no longer supports IE7 or below [ XPP max ]....... so if anyone here is having issues try Google Chrome on here ....... it seems to work just fine .....

slam5
slam5

@SgtPappy @slam5 Well, you will be surprise on what people fall for.  The pastor at my church got one of these.  And despite that he knows I'm the tech guy around and more than glad to help him with getting rid of malware, he went ahead of paid to get rid of the bug.  Sigh..


maxstr
maxstr

@Michael Kassner @maxstr 

I've found the quickest and easiest way to get rid of infections is to re-image the machine. You can never really be certain that you've completely removed all traces of the virus. 

Even if the virus can no longer execute, it may have already modified system files, drivers, network stack, certificates, or any other countless changes that will cause system instability (not to mention open up additional vulnerabilities for a re-infection).

Even System Restore can be compromised, since the virus can inject itself into the restore points. A full format of the drive is the most reliable method to remove a virus and repair and corruption (although the paranoid will argue that even the BIOS can get infected, but I don't go that far).

My point is, gone are the days of cleaning a PC by simply deleting a file from the Startup folder or the Run key in the registry, and running a full AV scan.

midlantic
midlantic

@Michael Kassner @maxstr Whenever I ran across the installed variety I would run a system restore to load up to a date prior to the problem and it would be gone. Then run deep AV/Malware scans, etc., deep temp file removal and except for one instance the problem was solved. With that one instance the user had removed previous restore points so quick and dirty re-install was needed. No data loss as those files are always backed up regularly, just a lot of my time was lost.

Editor's Picks