How to tackle JavaScript-based ransomware sites

Ransomware scams are nothing new to computer users; one one making the rounds attempts to disguise itself as an FBI cybercrime intervention for suspected nefarious activity. If you get stung by this scam (generally the fastest way is by using underground pirated software search engines and pornographic sites that redirect to the scam page, but even innocent image searches will get you there if you’re not careful), the site will present a notice claiming to come from the FBI “Cyber Department.” It states that the system’s browser has been seized and recorded, and that the user will have to pay a release fee of $300.

JavascriptRansomeware_540x453

To help make the claim look legitimate, the notice displays your IP address and current city and state. The bogus notice tries to make you pay by purchasing a Green Dot MoneyPak card from your local pharmacy or convenience store, and then entering its code into the browser.

If you try to close the window, a notice will appear, claiming that your browser is locked, your data will be detained, and criminal procedings will be initiated against you unless you pay up. Clicking OK results in another notice asking if you are sure you want to leave the page (a classic JavaScript warning notice), with the options to leave or stay on the page. If you click to leave, the initial warning will appear again, and the process starts again.

While this may seem like alarming behavior, the code behind this malware is actually simple JavaScript (not to be confused with Java), which takes advantage of notifications and alerts in the browser to implement a seemingly endless warning loop.

Even though the notice cycle repeats, it is limited by a hard-coded 150-cycle limit in the JavaScript code for the ransomware site. If you run into this site or similar instances where such warnings on seedy spam and malicious Web sites pop up and do not leave you alone, then there are some easy fixes.

  1. Disable JavaScript temporarily
    All browsers offer an option to disable JavaScript, and doing so will break the malware site’s ability to invoke the endless warning loops. To do this, click the warning option to stay on the page, and then open the browser’s preferences and locate the option to disable JavaScript. In Safari this is in the Security section of the preferences, for Chrome this is in Settings > Advanced Settings > Privacy > Content Settings, and in Firefox this is in the Content section of the preferences.
    With JavaScript disabled, close the problematic browser window, and then go back and re-enable JavaScript. You can also clear your browser history, cache, top sites, and other features to prevent inadvertently revisiting the site again.

    Reset Safari options

    Check this option to force-close the ransomware window. This will bypass any JavaScript warnings.

    (Credit: Screenshot by Topher Kessler/CNET)

  2. Force-quit the browser
    Force-quitting your browser is another approach you can take. In some cases the browser will load your home page instead of reload the problematic site when you next launch it, but some browsers attempt to reload the last session, so this won’t always work to fix the problem.
  3. Reset Safari
    Finally, for Safari users you can use the Reset Safari option to overcome this error. To do this, simply choose “Reset Safari” from the Safari application menu, and then check the option to close all Safari windows (no other options need to be checked). This will force the window to close, break the JavaScript loop, and allow you to reopen pages without the malicious site reloading.
About these ads
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s