You probably know better than to click on links that download unknown files to your computer. It turns out that uploading files can also get you in trouble.
Today’s web browsers are much more powerful than previous generations of browsers. They can modify data both in the browser and in the computer’s local file system. Users can send and receive emails, listen to music or watch movies from the browser with a single click.
Unfortunately, these capabilities also mean hackers can find clever ways to abuse browsers to trick you into allowing ransomware to lock your files when you think you’re doing your usual tasks online.
I’m a computer scientist working on cybersecurity. My colleagues and I showed how hackers can access your computer’s files through the File System Access Application Programming Interface (API), which allows web applications in modern browsers to interact with users’ local file systems.
The threat applies to Google’s Chrome and Microsoft’s Edge browsers, but not Apple’s Safari or Mozilla’s Firefox. 65% of the browsers used are Chrome and 5% are Edge. To my knowledge, there have been no reports of hackers using this method so far.
My colleagues, including a Google security researcher, and I contacted the developers responsible for the File System Access API, and they expressed support for our work and interest in our approaches to defending against such attacks. We also submitted a security report to Microsoft but have not heard back from them.
double edged sword
Today’s browsers are almost operating systems in themselves. They can run software programs and encrypt files. These capabilities, combined with the browser’s access to the host’s files, including those in the cloud, shared folders, and external drives, through the File System Access API, create a new opportunity for ransomware.
Imagine you want to edit photos in an innocuous-looking free online photo editing tool. When you upload photos for editing, hackers who control the malicious editing tool can access the files on your computer through your browser. Hackers can access the folder you uploaded to and all subfolders. Hackers can then encrypt files on your file system and demand a ransom payment to decrypt them.
Ransomware is a growing problem. The attacks have hit organizations as well as individuals, including Fortune 500 companies, banks, cloud service providers, cruise operators, threat monitoring services, chip manufacturers, governments, medical centers and hospitals, insurance companies, schools, universities, and even police departments. In 2023, organizations paid more than $1.1 billion in ransomware payments to attackers, with 19 ransomware attacks targeting organizations every second.
It’s no surprise that the #1 arms race between hackers and security experts today is ransomware. Traditional ransomware runs on your computer after hackers trick you into downloading it.
New defenses against a new threat
A team of researchers I lead at Florida International University’s Cyber-Physical Systems Security Laboratory, including postdoctoral researcher Abbas Acar, Ph.D. Candidate Harun Öz, together with Google Senior Research Scientist Güliz Seray Tuncay, has been researching this new type of potential ransomware for the last two years. Specifically, we explore how powerful modern web browsers have become and how they can be weaponized by hackers to create new strains of ransomware.
In our paper RøB: Ransomware Through Modern Web Browsers, presented at the USENIX Security Symposium in August 2023, we showed how easy this emerging strain of ransomware is to design and how harmful it can be. Specifically, we designed and implemented the first browser-based ransomware, called RøB, and analyzed its use in browsers running on three different major operating systems (Windows, Linux, and MacOS), five cloud providers, and five antivirus products.
Our evaluations showed that RøB is capable of encrypting a wide range of file types. Because RøB runs inside the browser, there is no malicious data that a traditional antivirus program can catch. This means that current ransomware detection systems face several challenges against this powerful browser-based ransomware.
We proposed three different defensive approaches to mitigate this new strain of ransomware. These approaches operate at different levels (browser, file system, and user) and complement each other.
The first approach temporarily stops a web application (a program running in the browser) to detect encrypted user files. The second approach monitors web application activity on the user’s computer to identify ransomware-like patterns. The third approach introduces a new permission dialog to inform users about the risks and consequences of allowing web applications to access their computer’s file system.
When it comes to protecting your computer, be careful where you upload files as well as where you download them. Your downloads may be giving hackers the ability to “break into” your computer.
This article is republished from The Conversation, an independent, nonprofit news organization providing facts and authoritative analysis to help you understand our complex world. Written by: Selçuk Uluağaç, Florida International University
Read more:
This research was completed in 2023 and received partial funding from the US National Science Foundation, Cyber Florida, and Google ASPIRE. The views expressed are solely those of the author and not of the funding organizations. The author also thanks the FSA API developers at Google for their support and collaboration on the original USENIX Security document in 2023.