When people talk about ransomware they typically think about malware that encrypts all of your files using strong encryption, forcing you to fork over money to unlock your files again. Some of these species are quite elaborate, with reinfection routines and integrated botnets. But perhaps hackers can get higher return on investment (ROI) by using som simple browser hijacking scripts?

One of the most common and profitable scams in 2015-2016 was the FakeBsod.A malware. According to the Microsoft info page on this ransomware it accounted for 15% of ransomware infection in the period from Dec 2015 to May 2016. The way the malware works is that it hijacks your browser and displays a message that you have encountered “BLUE SCREEN ERROR 0x000000000CE” in your browser. Your browser becomes unusable, the adress bar does not work and you cannot close it unless you kill the application. The error message gives a phone number to “Microsoft” for help. If you call them, you are asked ot pay a certain amount by credit card to “fix the problem”. Of course, forcing the browser to close and then removing the js file FakeBsod.A from your system is a better choice of action. Most users don’t know this, and the js browser hijacking technique has earned cyber criminals enormous sums of money from user seeing no other option to get their browser back. Note that no files are harmed by the malware – this is an effective scareware tactic that has worked very well for the criminals, with very little upfront investment.

This particular ransomware is not dangerous in contrast to cryptoviruses that can be in practice impossible to recover from without a good backup. It is like a robbery using a water pistol. Still – the criminals manage to steal a lot of money using this malware . It is like other phone scams – but instead of Microsoft scammers calling you they use ransomware as an inbound marketing tool – making you call their call center.

A nice and somewhat more technical post on this time of “phonescamware” can be found here by Xavier Mertens: https://isc.sans.edu/diary.html?date=2015-10-13.