Since you’re here at TechRepublic’s website, I’m betting you are familiar with ransomware, and how to avoid being conned by it. The trouble is there are millions of people who aren’t. That alone ensures ransomware will continue to cull people of their hard-earned money. To make matters worse, there’s a new version winding its way through the Internet. And, those in the know predict what’s being called HTML ransomware will be more successful than previous versions.
I first learned about HTML ransomware from Jerome Segura, Senior Security Researcher at Malwarebytes, and his blog post, "FBI Ransomware Now Targeting Apple’s Mac OS X Users." Initially, I was suspicious; OS X is not vulnerable in the same way Windows operating systems are, so what’s up?
Here’s what HTML ransomware has going for it:
Does not require installation.
AV applications, even with current malware signature sets, are of no use against HTML ransomware.
How it works
One way the scam starts is when an unlucky person selects a search result with a falsified link. Instead of the expected web page being presented, the victim’s web browser loads something similar to the following slide (courtesy of Jerome Seguro and Malwarebytes).
Again, you aren’t fooled, but perhaps less computer-savvy friends and relatives might be.
I doubt I’d even consider reloading the web browser that many times; my inclination would be to reboot the computer, but that doesn’t help either because HTML ransomware taps into the “Recover browser session after a crash” feature I mentioned earlier, bringing the same FBI screen back up.
It’s not malware
It not being malware is why HTML ransomware is a great idea for the bad guys: simple to set up, easy to move to different domain names, and no concerns on how to install code onto computers. To see if bad guys agreed, I asked Jerome how many instances of HTML ransomware he has seen?
“This ransomware is quite active; bad guys are registering new domain names several times per day. While it is not malicious (as opposed to ransomware that infects your PC), it’s still scaring people.”
How to tell if it’s HTML ransomware
Web browsers lock up for all sorts of reasons, so I asked Jerome how we would know for sure, if HTML ransomware caused the lockup:
Warning from the police
Fee to be paid using a voucher
Computer or browser locked
"If those three elements are in place, it’s HTML ransomware.”
How to get rid of HTML ransomware
Jerome did a thorough job of explaining how to remove HTML ransomware from Safari in his blog post, but missed explaining what those using other operating systems should do. I asked him what others should do:
There is a possibility you may not have to worry about HTML ransomware if your antimalware provider is on top of the situation like Malwarebytes. Jerome explains:
“Malwarebytes has a large database of malicious sites that we constantly update. Our PRO users are protected against malicious websites as they pop up. This is due to our ability to blacklist entire IP ranges since we know they are only used for criminal purposes; any new website registered on those will be automatically blocked.”
At first, I felt that HTML ransomware was not a big deal. But, it did not take long for me to realize darn near everything we do computer-wise involves the web browser. And, if the web browser appears to be locked up, it will seem like a huge deal.
Since this attack is easy to fix, it would be a shame to have those who do not understand what’s going on even for a second consider paying the ransom. So, please, let’s get the word out on HTML ransomware.
Once again, I owe a debt of gratitude to Rebecca Kline and Jerome Segura of Malwarebytes for helping me sort through the intricacies of HTML ransomware.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.