Browser locker – the peculiar type of malware

Browser locker is not a new type of malware. This phenomenon was on the radars of cybersecurity experts for a few years. It is not a “classic” malware, in the shape we used to, and the model it uses to reach its target – extort money from the victim, is worth your attention. I will show you all details, and also explain to you how to prevent the appearance of this virus. Let’s go!

What is browser locker?

That hazard can correctly be identified as a scary website that tries to force the visitor to pay the “fine” (in fact – ransom). A fine may be charged for some forbidden actions, like child porn storing/distribution, online reading of the forbidden literature or malware distribution. Banner also states that in order to prevent the PC usage and to make the fine ignoring impossible, data on your PC will be encrypted. To make these claims more authoritative, fraudsters add the logo of local executive authorities and the references to several legal acts. Such a picture looks quite earnestly, especially with several additional “effects”.

When the visitor tries to click on something on this website, the picture will extend on the full screen. The control buttons will be hidden, and the only thing which the user can see is the scary notification from the browser locker. Moreover, on the “russian Ministry of Internal Affairs (MIA)” browser lockers you can also see a line which imitates the encryption process. Such things may scare even experienced users. But don’t be fooled – below, I will show you the explanation of the mechanism of that “encryption”.

How does this malware work?

It is a very interesting story, since the mechanism is very easy and amusing. You will be laughing because of the extreme ease of this scheme. First thing we will check is the way this “virus” appears in your system.

The peculiarity is that this virus has no file. And we are not talking about fileless malware injections or other ways of stealthy virus injection into a well-secured network. Main reason why you can see the browser lockers is the adware presence. Adware is a type of malware that shows you the unwanted advertisements and earns money in this way. And it is quite a common situation when the malware creator comes to the adware distributors in order to promote their virus through unwanted ads. Adware shows you these scary pages just because somebody paid to the crooks who control the adware.

The exact shape of the advertisement, which will lead to the browser locker may be different. But the thing which makes it similar is the theme it uses to bait the user to click. Ad of the dating website, or page with free porn, or some similar things. Clicking on such a pop-up or a banner will just lead to the locker web page.

On the locker website, you will see the message that says that your PC is locked due to the decree issued right today. Here is the first moment which made me laugh: if you will not perform any actions and just wait a day, and then refresh the page, the date will be changed on your current day. The page element which shows you the issuing date is just a calendar.

The first reaction to such a message is an attempt to close the website. Well, until you pressed something on the site you will be able to reach the crossing at the right side of the browser tab. Attempting to close the page will lead to the context menu appearance.

Just pressing the “Close” button will really close the page and make you safe and calm. But if you start panic (which is a very often case), you can click something unintentionally and get your browser locked. Even more panic is created by a small CSS script used by fraudsters to hide your mouse cursor. On one of the browser lockers, we found this:

Saying shortly, this script is added to hide the mouse cursor. Such a change creates the illusion of real locking of your computer. This script also prevents the handling of functional keys, such as Shift, Alt, Ctrl and Tab, and also F1, F2, F3 and F4 buttons. Hence, the usual key combinations for problems solving – Alt+F4 and Ctrl+Alt+Del will not be available.

The exact website has a strange address. Instead of the original site of the legal authority, you will see an imitation, which is registered on a free hosting service¹. It is quite easy to distinguish the counterfeit from a real site, if you know these details. If not, you check the real site of the organization from another device – your smartphone or laptop, for example.

All this situation looks like a serious malware-related issue. However, the simple PC rebooting will back you the access to your PC. After the reboot, it is recommended to perform the malware removal.

Browser locker types

This virus appeared in different corners of the world, but the regions where these virus types became very popular and sustainable are the Middle East and ex-USSR. In particular, the most significant example of a browser locker is the aforementioned Ministry of Internal Affairs locker. It displays a scary banner in Russian language, which says that your computer is blocked for watching the porn with child porn and gomosexuality propaganda elements.

In Russia, and in the majority of these categories are forbidden by legal acts². Violating all of them simultaneously may lead to 10+ years of prison. However, they offer you to solve the problem with a payment – only 3000 or 10000 roubles (about $40-$130) and you may forget about these accusations. Fraudsters offer you to pay the ransom as a mobile number top-up, or money transfer to the online wallet on one of the payment systems. Russian browser lockers may easily be recognized by a russian coat of arms in the top left corner. This parody is like a reference example for such a scam – use as many symbols of real organizations as possible in order to scare the victim.

Here is the list of the websites which mimic the Russian MIA:

• 00210kad[.]ru
• 1910mpa20[.]ru
• mvd[.]pp[.]ru
• police-online[.]info
• 112aubid[.]ru
• 2301tiz21[.]ru
• mvd[.]net[.]ru
• mvd-online-police[.]ga

Middle East variation of the browser locker is widespread in UAE, Oman, Kuwait, Qatar, and Saudi Arabia. They have the same functions as their “colleague” from Russia, but their appearance is different. Exactly, while pseudo-MIA notification has a single variant of design, counterparts in the Middle East choose the legal authority of the country they like, and mask their malicious site with this disguise. The list of laws violated is also different, and depends on each country and case.

Peculiar elements of the browser lockers from the Middle East are not offering you to pay the “ransom” to the mobile account, but tell you to specify the bank card data. Such a type of browser locker is rather a phishing website, than a thing which tries to extort the money. Fortunately, this virus may be skipped in the same way. Even if you clicked on the website body, so it expanded on the full screen, you can just reboot your PC to stop this scam.

Here is the list of websites used in this fraud for the Middle East:

• tkkmobileinternetssnstop[.]ml
• supportpayprogramarabicssn[.]ga
• tkkmobileinternetssnstopopen[.]gq
• gropirworldplssn[.]ga
• amende-police-4412[.]xyz

How to stop the appearance of browser lockers?

As I said, browser locker appearance is just a consequence of adware activity. Adware is quite an easy virus, that can be deleted even manually. But since such a trick is a risky thing which cannot guarantee the result, it is better to make use of anti-malware software. I can offer you the GridinSoft Anti-Malware as the removal instrument for adware and browser lockers³.

Removing the viruses with GridinSoft Anti-Malware

• Download and install GridinSoft Anti-Malware. After the installation, you will be offered to perform the Standard Scan. Approve this action.

• Standard scan checks the logical disk where the system files are stored, together with the files of programs you have already installed. The scan lasts up to 6 minutes.

• When the scan is over, you may choose the action for each detected virus. For all files of the viruses distributed through the described phishing the default option is “Delete”. Press “Apply” to finish the malware removal.

1. Criterias of checking the website’s reliability.
2. Russia bans gay propaganda.
3. Our review for GridinSoft Anti-Malware.