HTML ransomware goes global

Last week we saw that a ransomware scheme does not need to involve actual malware, as clever cyber crooks leveraged browsers’ “restore from crash” feature to make inexperienced users believe they cannot escape the ransomware page (click on the screenshot to enlarge it):

The users would land one of the pages sporting the alarming notice while searching for popular keywords. The JavaScript code included in the page’s source code would prevent the user from leaving the page by choosing any of the offered options (“OK”, “Leave Page”) or by using the “force quit” feature, as the “restore from crash” feature would load the last loaded URL (in this case the ransom page).

The initial stages of the campaign used a fake Europol and FBI notification, and the Internet Crime Complaint Center released a notice warning users not to fall for the scam.

But now the scheme has gone global, and the ransomware pages sport fake notices from the Royal Canadian Mounted Police and the French Gendarmerie Nationale. Users in other Western world countries will likely see those purportedly coming from their own national law enforcement agencies very soon.

It’s interesting to note that despite being touted as targeting OS X users, this ransomware scheme is not aimed only at them, but at users of all the browsers that have the “restore from crash” feature. But as Windows users have already been targeted with a wide variety of ransomware tied to that particular OS, the threat is a new one for Mac users.

Malwarebytes’ Jerome Segura has outlined what to do if you land on such a page while browsing in Safari: click on the Safari menu and then choose “Reset Safari”, then mark all the offered items and press the “Reset” button:

Another easier way is to “force quit” Safari, then launch it again while hold down the “Shift” key.

This scheme is unlikely to be soon dropped by cyber criminals, as the money they “earn” with it daily is likely pretty big.

“Based on traffic rankings gathered by Alexa’s ranking system, we can get an idea of how many users were directed to the ransom page. One such site had 50K hits for one day. Say that 2% – or 1000 visitors – actually end up paying the ransom ($300), you are looking at $300K in the bad guys’ pockets in just one day,” Segura noted.

Don't miss