SquareX has sounded the alarm over the emergence of browser-native ransomware. Unlike other ransomware attacks, this does not require a user to download and install anything on their device. As such, it renders existing security solutions ineffective. Browser-native ransomware resides exclusively within the browser and operates by targeting the victim’s online identity. With users having multiple online identities and using multiple browser-based applications, this poses a significant threat.
Vivek Ramachandran, Founder of SquareX, said, “With the recent surge in browser-based identity attacks like the one we saw with the Chrome Store OAuth attack, we are beginning to see evidence of the ‘ingredients’ of browser-native ransomwares being used by adversaries. It is only a matter of time before one smart attacker figures out how to put all the pieces together.
“While EDRs and Anti-Viruses have played an unquestionably vital role in defending against traditional ransomware, the future of ransomware will no longer involve file downloads, making a browser-native solution a necessity to combat browser-native ransomwares.”
How does browser-native ransomware work?
An attacker sends an email to a user telling them about a new productivity tool that will improve their email. It might come through a spear phishing campaign, from a bot, or through stolen credentials from another employee. It may also be inserted into an ad offering a free trial that catches the user’s attention.
The user connects to the productivity tools, which starts a chain of events. The ransomware trawls the user’s email to identify all SaaS applications they use. This will include both private and enterprise applications. It then uses AI agents to reset the user’s passwords. Finally, it logs the user out of the applications. SquareX has not confirmed if it also resets recovery email addresses for the apps.
It is not just SaaS applications that are at risk. Increasingly, users are storing data within cloud storage applications, such as Dropbox, Google Drive, OneDrive, and others. In this case, the malware will tell the user it needs access to view, edit, create and delete files.
Once it has access, it has full control of all the enterprise data in those applications. It can delete, encrypt, and send the data elsewhere. Whatever it wants to do with the data, it can, as the user has no access. The ransomware will then send an email to the user telling them their data has been encrypted and stolen. It will also demand a ransom to prevent files from being deleted or released publicly.
The use of AI agents is particularly powerful in this context. They can act at machine speed and are not limited by time. They can even wait for the user to log off for the day and then act. It means the user will be unaware of it until they receive the ransom note.
What can organisations do about this?
Browser-native ransomware is undetectable through traditional Endpoint Detection and Response (EDR) and other tools. They rely on files, signatures and IOCs. The first step is to ensure that all SaaS applications are set to use multifactor authentication (MFA). That second factor should not rely on the same email account or device. That way, it prevents the malware from deploying secondary tools to detect the MFA request.
Another solution is to deploy an authenticator. That is more secure than many other MFA solutions, but, again, it needs to be accessible through a different device.
It is also important to educate users on how to do this for their personal and enterprise apps. This is especially important as many users use unauthorised apps for work purposes.
Security solutions that monitor enterprise storage and SaaS application storage need to utilise behavioural analysis tools. These will detect unusual activity from the user account. It will provide an opportunity for the enterprise to revoke access to the application and storage container.
Unsurprisingly, SquareX has its own browser detection and response (BDR) solution. It is deployed in the user’s browser and monitors for browser-native ransomware. Given that this is just one of several browser-native attacks, deploying a browser-based security solution makes sense.
Enterprise Times: What does this mean?
Wherever users work and store their data, cybercriminals will be looking for access. The browser is just the latest attack surface that organisations need to defend.
What will be of concern to most organisations is how easily and effectively browser-native ransomware can be deployed. They need to conduct immediate risk assessments to determine how they can mitigate any potential attack. While SquareX has not cited any live examples of this type of attack, it has provided multiple examples of how such an attack can occur.
