The Browlock ransomware (Trojan.Ransomlock.AG) is probably the simplest version of ransomware that is currently active. It does not download child abuse material, such as Ransomlock.AE, or encrypt files on your computer, like Trojan.Cryptolocker. It does not even run as a program on the compromised computer. This ransomware is instead a plain old Web page, with JavaScript tricks that prevent users from closing a browser tab. It determines the user’s local country and makes the usual threats, claiming that the user has broken the law by accessing pornography websites and demands that they pay a fine to the local police.
Figure 1. Browlock ransomware demands a fine for surfing pornography illegally
What is substantial is the number of users getting redirected to the Browlock website. In November, Symantec blocked more than 650,000 connections to the Browlock website. The same trend continues in December. More than 220,000 connections were blocked just 11 days into December. Overall, about 1.8 million connections have been blocked since tracking began in September.
These numbers may not seem particularly large for those familiar with exploit kits and traffic redirection systems, but they solely represent users of Symantec products. The 650,000 connections detected in November is merely a piece of the pie, but the real number is likely to be much larger.
Figure 2. Browlock ransomware’s activity in November and December this year
The previous figures show the amount of activity detected per day. The attacks occur in waves, with two particularly noticeable peaks on November 3 and November 16. On November 16, more than 130,000 computers were blocked from being directed to the Browlock website.
Getting the hits
The Browlock attackers appear to be purchasing traffic that redirects many different visitors to their malicious website. They are using malvertising, an increasingly common approach which involves purchasing advertising from legitimate networks. The advertisement is directed to what appears to be an adult Web page, which then redirects to the Browlock website.
The traffic that the Browlock attackers purchased comes from several sources, but primarily from adult advertising networks. Several security researchers have been tracking this activity for the past few months, notably Malekal and Dynamoo.
In a recent example, the attackers created several different accounts with an advertising network, deposited payment, and began buying traffic to redirect users to a website with a name that resembles an online chat forum. When the user visits the page, they are then redirected to the Browlock site. In fact, the attacker hosts the legitimate-looking domain name on the same infrastructure as the ransomware site itself.
The Browlock infrastructure
When a victim is directed to the Browlock website, a URL specific to the victim and their country’s law enforcement is generated. For example, visitors from the US are directed to a URL which looks similar to the following:
fbi.gov.id693505003-4810598945.a5695.com
There are two notable elements of this URL. The first is the fbi.gov value and the second is the actual domain, a5695.com. The fbi.gov value is clearly meant to represent the local law enforcement agency. Symantec has identified 29 different law enforcement values, representing approximately 25 regions. The following graph shows the percentage of connections for the top ten law enforcement agencies identified. We found that traffic from the US was the most common. This is followed by Germany, then Europol, which covers European countries when no specific image template has been created.
Figure 3. Top ten regions targeted by Browlock
The second relevant value is the domain. We have seen 196 domains since tracking began. The domains adhere to the format of a single letter followed by four digits and then .com. The actual domains have been hosted on a number of different IP addresses over the past four months.
The most active Autonomous System (AS) has been AS48031 – PE Ivanov Vitaliy Sergeevich, which was used in each of the past four months. The attackers rotated through seven different IP addresses in this AS.
Summary
The Browlock ransomware tactic is simple but effective. Attackers save money by not using a malicious executable or accessing an exploit kit. As the victim simply needs to close their browser to escape from the Web page, one might think that no one will pay up. However, the Browlock attackers are clearly spending money to purchase traffic and so they must be making a return on that investment. The usual ransomware tactic of targeting users of pornographic websites continues to capitalize on a victim’s embarrassment and may account for the success rate.
Symantec protects its customers from Browlock with IPS and AV signatures.
Malicious infrastructures used
AS24940 HETZNER-AS Hetzner Online AG
- IP address: 144.76.136.174 Number of redirected users: 2,387
AS48031 – PE Ivanov Vitaliy Sergeevich
- IP address: 176.103.48.11 Number of redirected users: 37,521
- IP address: 193.169.86.15 Number of redirected users: 346
- IP address: 193.169.86.247 Number of redirected users: 662,712
- IP address: 193.169.86.250 Number of redirected users: 475,914
- IP address: 193.169.87.14 Number of redirected users: 164,587
- IP address: 193.169.87.15 Number of redirected users: 3,945
- IP address: 193.169.87.247 Number of redirected users: 132,398
AS3255 –UARNET
- IP address: 194.44.49.150 Number of redirected users: 28,533
- IP address: 194.44.49.152 Number of redirected users: 134,206
AS59577 SIGMA-AS Sigma ltd
- IP address: 195.20.141.61 Number of redirected users: 22,960
Nigeria Ifaki Federal University Oye-ekiti
- IP address: 196.47.100.2 Number of redirected users: 47,527
AS44050 – Petersburg Internet Network LLC
- IP address: 91.220.131.106 Number of redirected users: 81,343
- IP address: 91.220.131.108 Number of redirected users: 75,381
- IP address: 91.220.131.56 Number of redirected users: 293
AS31266 INSTOLL-AS Instoll ltd.
- IP address: 91.239.238.21 Number of redirected users: 8,063