How to tackle JavaScript-based ransomware sites

Ransomware holding you and your computer hostage? Don't worry, its scheme can easily be overcome.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
3 min read

Ransomware scams are nothing new to computer users; one one making the rounds attempts to disguise itself as an FBI cybercrime intervention for suspected nefarious activity. If you get stung by this scam (generally the fastest way is by using underground pirated software search engines and pornographic sites that redirect to the scam page, but even innocent image searches will get you there if you're not careful), the site will present a notice claiming to come from the FBI "Cyber Department." It states that the system's browser has been seized and recorded, and that the user will have to pay a release fee of $300.

To help make the claim look legitimate, the notice displays your IP address and current city and state. The bogus notice tries to make you pay by purchasing a Green Dot MoneyPak card from your local pharmacy or convenience store, and then entering its code into the browser.

JavaScript ransomware running in Safari
The phishing site presents a JavaScript loop that will lock your browser to the page. In this case, attempting to visit www.apple.com after loading the problematic site results in the warning showing up (click for larger view). Screenshot by Topher Kessler/CNET

If you try to close the window, a notice will appear, claiming that your browser is locked, your data will be detained, and criminal procedings will be initiated against you unless you pay up. Clicking OK results in another notice asking if you are sure you want to leave the page (a classic JavaScript warning notice), with the options to leave or stay on the page. If you click to leave, the initial warning will appear again, and the process starts again.

While this may seem like alarming behavior, the code behind this malware is actually simple JavaScript (not to be confused with Java), which takes advantage of notifications and alerts in the browser to implement a seemingly endless warning loop.

Even though the notice cycle repeats, it is limited by a hard-coded 150-cycle limit in the JavaScript code for the ransomware site. If you run into this site or similar instances where such warnings on seedy spam and malicious Web sites pop up and do not leave you alone, then there are some easy fixes.

  1. Disable JavaScript temporarily
    All browsers offer an option to disable JavaScript, and doing so will break the malware site's ability to invoke the endless warning loops. To do this, click the warning option to stay on the page, and then open the browser's preferences and locate the option to disable JavaScript. In Safari this is in the Security section of the preferences, for Chrome this is in Settings > Advanced Settings > Privacy > Content Settings, and in Firefox this is in the Content section of the preferences.

    With JavaScript disabled, close the problematic browser window, and then go back and re-enable JavaScript. You can also clear your browser history, cache, top sites, and other features to prevent inadvertently revisiting the site again.
  2. Reset Safari options
    Check this option to force-close the ransomware window. This will bypass any JavaScript warnings. Screenshot by Topher Kessler/CNET
  3. Force-quit the browser
    Force-quitting your browser is another approach you can take. In some cases the browser will load your home page instead of reload the problematic site when you next launch it, but some browsers attempt to reload the last session, so this won't always work to fix the problem.
  4. Reset Safari
    Finally, for Safari users you can use the Reset Safari option to overcome this error. To do this, simply choose "Reset Safari" from the Safari application menu, and then check the option to close all Safari windows (no other options need to be checked). This will force the window to close, break the JavaScript loop, and allow you to reopen pages without the malicious site reloading.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.