JavaScript has a window.onbeforeunload event triggered when the user tries to close the browser. One can associate a function with this event, which will be called when one tries to close the browser. In case of browser ransomware, the code in the associated function should open up ransomware warning messages when the victim tries to close the browser.
A browser (or any application) can be shut down with a keystroke combination of Alt + F4. JavaScript also has an event related to keystrokes when one is working on the browser. One can find out what key has been pressed by using event.keyCode in JavaScript. The ransomware, in this case, checks whether Alt + F4 or Alt+Tab has been pressed. If it detects these key events it again opens up a ransomware warning message: