The post I wrote about the FBI Ransomware Now Targeting Apple’s Mac OS X users has received a lot of attention. Perhaps it did because we seldom hear about Mac users having to deal with malware – not that it does not happen, because it certainly does – but when it occurs, everyone wants to know about it.
The funny thing here is that this attack does not actually use malware per se, but rather a sneaky little piece of JavaScript (which is absolutely benign but yet annoying) and social engineering tricks.
At the end of the day, it still manages to appear as though it did in fact block your computer and will unfortunately be convincing enough to have people fork over several hundred dollars.
Now, let’s answer your questions.
Q. Why did you call it ransomware for the Mac? It also works on Windows… A. That is correct, it will run on pretty much all browsers Windows or OS X. However, Windows users are normally served a drive-by download and getting a full (and real) computer lock. Mac users did not have to worry about that, but yet with this new technique, the bad guys are targeting both platforms by using a very basic script and leveraging what works best: social engineering.
Q. Does this ransomware actually infect my Mac? Is it an exploit? A. No, it does not. It is purely a simple piece of JavaScript that ‘locks up’ the browser.
Q. If I get rid of the ransom page, is my computer still infected after that? A. At least for Mac users, the page does not push any exploit or malware. Once it’s closed, you’re good to go. Of course, it would not hurt doing the usual backup of your data, clean up of unused apps and files, security scan, etc. Windows users may have more to worry about, although, once again, the first iteration of that page seemed to be exploit-free.
Q. Are Macs finally vulnerable to malware? A. This attack works both on Windows and Macs because it uses JavaScript and of course social engineering. The weakest link is the user, not the Operating System.
Q. Does this work on other browsers as well, beside Safari? A. Yes. Even Chrome (one of the safest browsers) gets locked because of that JavaScript snippet.
Q. What is so special about that JavaScript code? A. Nothing really. In fact we found the same code published on multiple web developer forums. The bad guys simply copied, pasted it and made a few adaptations.
Q. When did this first happen? A. The first reports date from July 14th, although it is possible it started spreading a day or two before that.
Q. How can I avoid this attack? A. You can reduce the likelihood of it happening by avoiding sites serving pornography, torrents, game cracks, live streaming of copyrighted movies, etc. It sounds so cliché, but it kind of goes hand in hand with the ransom page (“you’ve been naughty, doing something illegal: now you have to pay for it).
Q. Could this have been blocked by an anti-malware product? A. Probably not (although you’d think it should based on the behaviour). However, our Malwarebytes PRO customers were protected from this threat before it even happened as we had blacklisted the malicious server’s IP address months ago.
Q. Is it true that if I click ‘Leave the page’ 150 times, it will go away? A. Yes. The JavaScript code creates a loop of 150 iframes after which the lock is released.
A. Are there other ways of getting rid of the ransom page? Q. Yes, as some people have suggested it, you can disable JavaScript or paste some code in the JS console. However, the method outlined in our previous blog post seemed easier and quicker, as long as you don’t mind erasing your browsing history. [update] several users have suggested another method: Force quit Safari (Apple menu) and then restart Safari while holding the shift key.
Q. Why only 150 iframes? Why not 10K? A. Having looked at the code many times and opened it in multiple browsers, I realized the iframes are loaded one after the other very quickly. Having too many could lead to browser instability and even a crash, definitely not something the bad guys would want.
Q. How many sites are loading this ransomware? A. So far we have come across a handful of them, and they all share the same naming pattern: [a-z]{1}[0-9]{4}.com. For example, k8381 . com | s5664 . com. We identified two ‘branded’ versions in the URL being pushed:
- europol.europe.eu.id657546456-3999456674.[domain.com]
- fbi.gov.id657546456-3999456674.[domain.com]
Q. Where are these sites hosted? A. We’ve traced them back to an IP address (91.220.131.65) in Russia
A. Will this ransomware work on iOS? Q. Not as far as we can see. We tested it on an iPhone and iPad and could not replicate the same behaviour.
Q. Do you know how many people have paid the ransom? A. We do not. However based on traffic rankings gathered by Alexa’s ranking system, we can get an idea of how many users were directed to the ransom page. One such site had 50K hits for one day. Say that 2% – or 100o visitors – actually end up paying the ransom ($300), you are looking at $300K in the bad guys’ pockets in just one day.
Q. How are the bad guys collecting the money? A. The ransom money must be paid using a voucher which can be purchased at many popular retail stores. Each voucher contains a unique number that the victim enters within the webpage and that is transmitted to the remote Russian server’s database. One thing we noticed is there is no real-time validation, meaning you could enter a random number (so long as it matches the length typically used by such vouchers) and you still get the “Your {sic} brouser will be unlocked within 12 hours” message.
Q. We are security researchers, can you share this JavaScript/HTML code with us? A. Of course. Check the source code here.
We will keep monitoring this on-going campaign and keep you posted.
Jerome Segura (@jeromesegura) is a senior security researcher at Malwarebytes.
