RøB: Ransomware over Modern Web Browsers
Abstract
File System Access (FSA) API enables web applications to
interact with files on the users’ local devices. Even though it
can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries
to cause significant harm. In this paper, for the first time in the
literature, we extensively study this new attack vector that can
be used to develop a powerful new ransomware strain over
a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware
called RØB as a malicious web application that encrypts the
user’s files from the browser. We use RØB to perform impact
analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it.
Our evaluations show that RØB can encrypt the victim’s local
files including cloud-integrated directories, external storage
devices, and network-shared folders regardless of the access
limitations imposed by the API. Moreover, we evaluate and
show how the existing defense solutions fall short against
RØB in terms of their feasibility. We propose three potential
defense solutions to mitigate this new attack vector. These
solutions operate at different levels (i.e., browser-level, filesystem-level, and user-level) and are orthogonal to each other.
Our work strives to raise awareness of the dangers of RØBlike browser-based ransomware strains and shows that the
emerging API documentation (in this case the popular FSA)
can be equivocal in terms of reflecting the extent of the threat.
