{"id":76061,"date":"2014-12-17T16:20:26","date_gmt":"2014-12-18T00:20:26","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=76061"},"modified":"2023-05-15T23:13:14","modified_gmt":"2023-05-16T06:13:14","slug":"your-browser-is-not-locked","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/","title":{"rendered":"Your Browser is (not) Locked"},"content":{"rendered":"<p>Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick &#8211; browser lockers.<\/p>\n<p>Unlike traditional ransomware threats that lock the entire desktop, browser lockers only lock the web browser of an infected PC. Most other malware needs a user (or other malware) to manually run it. Browser lockers don\u2019t need to be manually run, they don\u2019t have a binary file and they are mostly written in JavaScript. The script runs in the web browser and its main purpose is to disable any form of action that can close the browser &#8211; such as clicking the close button and pressing certain shortcut keys (for example, Alt + F4). All attempts to close the browser will result in a warning message box, an example is shown in Figure 4.<\/p>\n<p>Microsoft detects browser locker malware as <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:JS\/Brolo\">Ransom:JS\/Brolo<\/a> and <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:JS\/Krypterade\">Ransom:JS\/Krypterade<\/a>. The graphs below show the number of encounters and countries affected by these threats in recent months.<\/p>\n<p>These threats run when a user is redirected to a malicious URL. Although a user might visit a clean domain or website, they can be redirected to a malicious URL instead via pop-up ads.<\/p>\n<p>Once redirected to the browser locker landing page, a visible lock screen is displayed through the browser. At this point all attempts to close the browser are futile without the help of another application.<\/p>\n<p>An example of a Ransom:JS\/Brolo browser lock screen is shown below. The message differs from browser to browser, and can be region-specific.<\/p>\n<p>Each browser locker may have a slightly different appearance, with changes to the images and messages. However, they usually try similar scare tactics:<\/p>\n<ul>\n<li>Trying to look like they come from a local government security agency (Interpol, FBI, NSA).<\/li>\n<li>Saying you violated or broke a law.<\/li>\n<li>Asking you to pay a fine, usually in the form of prepaid cards.<\/li>\n<\/ul>\n<p>Ransom:JS\/Krypterade masquerades as the official Java website. The \u2018ransom\u2019 in this case is the download and installation of another binary, which is a software bundler.<\/p>\n<p>Despite their claims to the contrary, browser blockers do not:<\/p>\n<ul>\n<li>Come from a government security agency.<\/li>\n<li>Know whether you have broken any law.<\/li>\n<li>Have your files for evidence.<\/li>\n<li>Know whether your current browser is outdated or not.<\/li>\n<\/ul>\n<p>As far as we have seen they cannot:<\/p>\n<ul>\n<li>Encrypt your files.<\/li>\n<li>Force you to install a particular software just to unlock your browser.<\/li>\n<li>Require you to pay a fine to unlock your browser.<\/li>\n<\/ul>\n<p>If your browser is locked by one of these threats you can unlock it using Task Manager to kill the browser process. On enterprise machines Task Manager might be blocked by group policy. You may need to contact your IT administrator for assistance. When you re-launch your browser, it may have an option to &#8220;restore session&#8221; because it closed unexpectedly. Do not click on &#8220;restore session&#8221; as it will still have a record of the browser locker URL.<\/p>\n<p>The best protection from these threats is to make sure your web browser <a href=\"http:\/\/windows.microsoft.com\/en-AU\/internet-explorer\/products\/ie-9\/features\/smartscreen-filter\">smart screen <\/a>and <a href=\"http:\/\/windows.microsoft.com\/en-au\/internet-explorer\/ie-security-privacy-settings#ie=ie-11&amp;pop-up_blocker\">pop-up blocker<\/a> is turned on. You should also only download software from the official vendor\u2019s website. Common applications such as Java and Flash usually have their own update notification to let you know when you need an update.<\/p>\n<p>Microsoft security products, such as <a href=\"http:\/\/windows.microsoft.com\/en-au\/windows\/security-essentials-download\">Microsoft Security Essentials<\/a>, include detection for <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:JS\/Brolo\">Ransom:JS\/Brolo<\/a> and <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:JS\/Krypterade\">Ransom:JS\/Krypterade<\/a>. To help stay protected, <a href=\"http:\/\/www.microsoft.com\/security\/portal\/definitions\/adl.aspx\">keep your security software up-to date<\/a>.<\/p>\n<p><em>Alden Pornasdoro<\/em><\/p>\n<h2>Related blog entries:<\/h2>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/03\/28\/world-backup-day-is-as-good-as-any-to-back-up-your-data\/\">World Backup Day is as good as any to back up your data<\/a><\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/02\/14\/ransomware-2016-threat-landscape-review\/\">Ransomware: a declining nuisance or an evolving menace?<\/a><\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/01\/30\/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp\/\">Averting ransomware epidemics in corporate networks with Windows Defender ATP<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h4><strong>Talk to us<\/strong><\/h4>\n<p>Questions, concerns, or insights on this story? Join discussions at the <a href=\"https:\/\/answers.microsoft.com\/en-us\/protect\" target=\"_blank\" rel=\"noopener\">Microsoft community<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\" target=\"_blank\" rel=\"noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n<p>Follow us on Twitter <a href=\"https:\/\/twitter.com\/WDSecurity\" target=\"_blank\" rel=\"noopener\">@WDSecurity.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick &#8211; browser lockers. Unlike traditional ransomware threats that lock the entire desktop, browser lockers [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3735],"tags":[],"coauthors":[1968],"class_list":["post-76061","post","type-post","status-publish","format-standard","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-ransomware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Your Browser is (not) Locked | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Your Browser is (not) Locked | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick &#8211; browser lockers. Unlike traditional ransomware threats that lock the entire desktop, browser lockers [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2014-12-18T00:20:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T06:13:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-microsoft_logo_element.png\" \/>\n\t<meta property=\"og:image:width\" content=\"512\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"Your Browser is (not) Locked\",\"datePublished\":\"2014-12-18T00:20:26+00:00\",\"dateModified\":\"2023-05-16T06:13:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/\"},\"wordCount\":663,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/\",\"name\":\"Your Browser is (not) Locked | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"datePublished\":\"2014-12-18T00:20:26+00:00\",\"dateModified\":\"2023-05-16T06:13:14+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Your Browser is (not) Locked\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Your Browser is (not) Locked | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/","og_locale":"en_US","og_type":"article","og_title":"Your Browser is (not) Locked | Microsoft Security Blog","og_description":"Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick &#8211; browser lockers. Unlike traditional ransomware threats that lock the entire desktop, browser lockers [&hellip;]","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/","og_site_name":"Microsoft Security Blog","article_published_time":"2014-12-18T00:20:26+00:00","article_modified_time":"2023-05-16T06:13:14+00:00","og_image":[{"width":512,"height":512,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-microsoft_logo_element.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"Your Browser is (not) Locked","datePublished":"2014-12-18T00:20:26+00:00","dateModified":"2023-05-16T06:13:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/"},"wordCount":663,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/","name":"Your Browser is (not) Locked | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"datePublished":"2014-12-18T00:20:26+00:00","dateModified":"2023-05-16T06:13:14+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/12\/17\/your-browser-is-not-locked\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Your Browser is (not) Locked"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/76061"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=76061"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/76061\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=76061"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=76061"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=76061"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=76061"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=76061"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=76061"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=76061"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}