Tue 14 May 2024:
You probably know better than to click on links that download unknown files onto your computer. It turns out that uploading files can get you into trouble, too.
Today’s web browsers are much more powerful than earlier generations of browsers. They’re able to manipulate data within both the browser and the computer’s local file system. Users can send and receive email, listen to music or watch a movie within a browser with the click of a button.
Unfortunately, these capabilities also mean that hackers can find clever ways to abuse the browsers to trick you into letting ransomware lock up your files when you think that you’re simply doing your usual tasks online.
I’m a computer scientist who studies cybersecurity. My colleagues and I have shown how hackers can gain access to your computer’s files via the File System Access Application Programming Interface (API), which enables web applications in modern browsers to interact with the users’ local file systems.
The threat applies to Google’s Chrome and Microsoft’s Edge browsers but not Apple’s Safari or Mozilla’s Firefox. Chrome accounts for 65% of browsers used, and Edge accounts for 5%. To the best of my knowledge, there have been no reports of hackers using this method so far.
My colleagues, who include a Google security researcher, and I have communicated with the developers responsible for the File System Access API, and they have expressed support for our work and interest in our approaches to defending against this kind of attack. We also filed a security report to Microsoft but have not heard from them.
Double-edged sword
Today’s browsers are almost operating systems unto themselves. They can run software programs and encrypt files. These capabilities, combined with the browser’s access to the host computer’s files – including ones in the cloud, shared folders and external drives – via the File System Access API creates a new opportunity for ransomware.
Imagine you want to edit photos on a benign-looking free online photo editing tool. When you upload the photos for editing, any hackers who control the malicious editing tool can access the files on your computer via your browser. The hackers would gain access to the folder you are uploading from and all subfolders. Then the hackers could encrypt the files in your file system and demand a ransom payment to decrypt them.
Today’s web browsers are more powerful – and in some ways more vulnerable – than their predecessors.
Ransomware is a growing problem. Attacks have hit individuals as well as organizations, including Fortune 500 companies, banks, cloud service providers, cruise operators, threat-monitoring services, chip manufacturers, governments, medical centers and hospitals, insurance companies, schools, universities and even police departments. In 2023, organizations paid more than US$1.1 billion in ransomware payments to attackers, and 19 ransomware attacks targeted organizations every second.
It is no wonder ransomware is the No. 1 arms race today between hackers and security specialists. Traditional ransomware runs on your computer after hackers have tricked you into downloading it.
New defenses for a new threat
A team of researchers I lead at the Cyber-Physical Systems Security Lab at Florida International University, including postdoctoral researcher Abbas Acar and Ph.D. candidate Harun Oz, in collaboration with Google Senior Research Scientist Güliz Seray Tuncay, have been investigating this new type of potential ransomware for the past two years. Specifically, we have been exploring how powerful modern web browsers have become and how they can be weaponized by hackers to create novel forms of ransomware.
In our paper, RøB: Ransomware over Modern Web Browsers, which was presented at the USENIX Security Symposium in August 2023, we showed how this emerging ransomware strain is easy to design and how damaging it can be. In particular, we designed and implemented the first browser-based ransomware called RøB and analyzed its use with browsers running on three different major operating systems – Windows, Linux and MacOS – five cloud providers and five antivirus products.
Our evaluations showed that RøB is capable of encrypting numerous types of files. Because RøB runs within the browser, there are no malicious payloads for a traditional antivirus program to catch. This means existing ransomware detection systems face several issues against this powerful browser-based ransomware.
We proposed three different defense approaches to mitigate this new ransomware type. These approaches operate at different levels – browser, file system and user – and complement one another.
The first approach temporarily halts a web application – a program that runs in the browser – in order to detect encrypted user files. The second approach monitors the activity of the web application on the user’s computer to identify ransomware-like patterns. The third approach introduces a new permission dialog box to inform users about the risks and implications associated with allowing web applications to access their computer’s file system.
When it comes to protecting your computer, be careful about where you upload as well as download files. Your uploads could be giving hackers an “in” to your computer.
Author:
Selcuk Uluagac
Professor of Computing and Information Science, Florida International University
Dr. Selcuk Uluagac is currently an Eminent Scholar Chaired Professor in the Knight Foundation School of Computing and Information Science at Florida International University, leading the Cyber-Physical Systems Security Lab with an additional courtesy appointment in the Department of Electrical & Computer Engineering. Before, he was a Senior Researcher at Georgia Tech and Symantec. He holds a PhD from Georgia Tech and MS from Carnegie Mellon University in cybersecurity. He is an expert in the areas of cybersecurity and privacy with an emphasis on their practical aspects (focusing on systems security topics, malware, ransomware, forensics, IoT, CPS, smart systems) and teaches classes in these areas. He has hundreds of papers/studies/publications in the most reputable venues such as NDSS, USENIX Security, IEEE TIFS. He received US National Science Foundation (NSF) CAREER Award (2015), US Air Force Office of Sponsored Research’s Summer Faculty Fellowship (2015), University of Padova (Italy)’s Faculty Fellowship (2016), Google’s ASPIRE Research award in security and privacy (2021), Faculty Fellowship from the Sapienza University of Rome, Italy (2022), FIU Provost Office Top Scholar Award in Established Faculty with Significant Grants (STEM Category), (2023), FIU Provost Office Top Scholar Award in Faculty with Notable Gains in Student Learning and Success (Sciences Category) (2021), FIU College of Engineering and Computing Faculty Award in Excellence in Research and Creative Activities (2021), FIU Eminent Scholar Chaired Associate Professor in the College of Engineering and Computing (2020), among others. His research has been funded by numerous government agencies and industry, e.g., NSF, Dept. of Energy, Air Force Research Lab, Dept. of Labor, Cyber Florida, Google, Microsoft, Trend Micro, and Cisco, inter alia. He is very entrepreneurial and visionary with his research. Many of his research ideas have resulted in patents (10+). He is chairing/serving on the of top-tier security conferences, e.g., NDSS, USENIX Security, ACM CCS, IEEE SP. In 2023, he was the TPC Chair of Security and ML Track of ACM CCS 2023 and was the General Chair of ACM Conference on Security and Privacy in Wireless and Mobile Networks (ACM WiSec) in 2019. In 2018, he co-chaired the National Institute of Standards and Technology (NIST)’s National Initiative for Cybersecurity Education (NICE) Annual Expo and Conference. In 2022, he was the TPC Co-Chair of IEEE CNS Conference. He currently serves as the deputy editor in-chief of IEEE TIFS and associate editors of IEEE TMC and Elsevier COMNET journals.
______________________________________________________________
FOLLOW INDEPENDENT PRESS:
WhatsApp CHANNEL
https://whatsapp.com/channel/0029VaAtNxX8fewmiFmN7N22
TWITTER (CLICK HERE)
https://twitter.com/IpIndependent
FACEBOOK (CLICK HERE)
https://web.facebook.com/ipindependent
YOUTUBE (CLICK HERE)
https://www.youtube.com/@ipindependent
Think your friends would be interested? Share this story!