Jump to Content

RøB: Ransomware over Modern Web Browsers

Harun Oz
Ahmet Aris
Abbas Acar
Leonardo Babun
Selcuk Uluagac
USENIX Security (2023)


File System Access (FSA) API enables web applications to interact with files on the users’ local devices. Even though it can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries to cause significant harm. In this paper, for the first time in the literature, we extensively study this new attack vector that can be used to develop a powerful new ransomware strain over a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware called RØB as a malicious web application that encrypts the user’s files from the browser. We use RØB to perform impact analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it. Our evaluations show that RØB can encrypt the victim’s local files including cloud-integrated directories, external storage devices, and network-shared folders regardless of the access limitations imposed by the API. Moreover, we evaluate and show how the existing defense solutions fall short against RØB in terms of their feasibility. We propose three potential defense solutions to mitigate this new attack vector. These solutions operate at different levels (i.e., browser-level, filesystem-level, and user-level) and are orthogonal to each other. Our work strives to raise awareness of the dangers of RØBlike browser-based ransomware strains and shows that the emerging API documentation (in this case the popular FSA) can be equivocal in terms of reflecting the extent of the threat.