SquareX discloses Browser Syncjacking, where a single malicious extension can be eventually hijack the victim’s device.
SquareX discovers how polymorphic extensions impersonate legitimate extensions to harvest credentials.

The Evolution of Ransomware: Browser-Native Ransomware

As we move towards a cloud and SaaS-centric workplace, browsers are becoming the new endpoint. The discovery of browser-native ransomware provides a glimpse to the next generation of ransomware - one which renders EDRs obsolete, putting millions of organizations at risk.

Learn How SquareX's Browser Detection and Response (BDR) Stops Browser-Native Ransomware

Fill out the form to request an enterprise pilot. For direct inquiries, please email founder@sqrx.com.

How Traditional Ransomware Works

Ransomware, a portmanteau of “ransom” and “malware,” is a type of malicious software designed to block access to a computer system or data until a ransom is paid. It typically involves three steps:

  1. Infection: Attackers trick victims into downloading and executing the ransomware through various attack vectors, such as phishing emails and malvertising campaigns.
  2. Data Encryption or Deletion: The attacker either encrypts or exfiltrates and deletes all data on the device, preventing the victim from accessing their files.
  3. Ransom Solicitation: Attackers demand payment, typically in cryptocurrency, in return for the decryption key or stolen data restoration.
Wannacry Ransomware Example
Example of WannaCry ransomware in action.

The Evolution of Ransomware is in the Browser

Most enterprise data today resides within SaaS applications. Unlike traditional ransomware that relies on file execution, browser-native ransomware exploits identity-based attacks to gain unauthorized access. Here's how it happens:

  1. Identity Attack: Attackers compromise victims’ credentials through various identity-based exploits such as consent phishing, browser sync-jacking, and polymorphic extensions.
  2. Data Exfiltration & Deletion: Using stolen credentials, attackers log into the victim’s SaaS apps, log them out, exfiltrate, and delete valuable information.
  3. Ransom Solicitation: Attackers demand payment in exchange for returning or withholding the leaked data.
Browser-native ransomware flow chart
How browser-native ransomware operates.

Browser-Native Ransomware Case Studies

Below are three case studies to illustrate how browser-native ransomware could look like. With the help of AI, variations of these attacks can easily be made and any enterprise app could be a target for browser ransomware.

File Storage Browser-Native Ransomware

In this example, the attacker gains access to the victim’s Google Drive by mimicking a legitimate app. The attacker exfiltrates and deletes all files stored in the victim’s Google Drive, including shared drives and demands a ransom to stop them from leaking company sensitive files.
Video Thumbnail
Video Thumbnail

Email Browser-Native Ransomware

Browser-native ransomware can also be used to compromise email services. Through consent phishing, the attacker can use a malicious app to read the victim’s emails and figure out what SaaS services they are signed up to. Using an AI agent, the attacker then systematically resets the passwords to these apps, logs the victim out and exfiltrates all data stored in enterprise SaaS apps for ransom.

Browser-Native Ransomware via Browser Syncjacking

In January this year, we discovered the Browser Syncjacking attack, where a malicious browser extension can turn the victim’s browser into a managed profile and browser controlled by the attacker. Through Google Workspace’s sync function, all locally stored passwords are then uploaded to the attacker managed profile and can be used to gain unauthorized access and exfiltrate data from SaaS applications.
Video Thumbnail

Security Challenges in Detecting & Mitigating Browser-Native Ransomware

When compared to traditional ransomware, browser-native ransomware are both especially difficult to detect and have more severe implications due to several reasons:

Brand New Attack Surface

Compared to the endpoint, the browser is still a relatively nascent attack surface. Identity attacks are frequently delivered through newer attack vectors such as browser extension and OAuth authentication systems that remain poorly understood and managed.

Difficulty in Detecting an Ongoing Attack

For traditional ransomware, a malicious file or code will eventually be executed in the device, which is typically managed by the enterprise. In contrast, browser-native ransomware can target the victim’s identity in any SaaS application, including personal accounts or shadow SaaS apps that are not managed by the security team.

Existing Tools have Limited Visibility in the Browser

While EDRs play a critical role in defending against traditional ransomware, they work by inspecting malicious files and processes in the endpoint. Browser-native ransomware solely operates in the browser without involving any file download/native processes, and thus will never trigger any EDR inspection. Similarly, SASE/SSEs work by inspecting the proxy layer to infer application layer attacks and has poor visibility into the browser.

Lack of Browser-native Security Tools

Given the nativity of the space, most enterprises do not have the right browser-native tools to detect and mitigate browser-native ransomware. There is also no threat feed and limited attack documentation that security teams can rely on.

Lateral Movement via Shared Resources

One key benefit of using cloud services is the ability to collaborate and share resources with other individuals. For instance, an employee will have access to not only their own files, but any file on the company’s share drive to which they have access to. This makes lateral movement facile for browser-native ransomware. Where the impact of traditional ransomware is typically limited to the victim’s device, for browser-native ransomware, all it takes is one employee’s slip up to compromise the entire organization’s shared resources.

See what SquareX's bleeding-edge Browser Detection and Response (BDR™) solution can do for you.

See what SquareX's bleeding-edge Browser Detection and Response (BDR™) solution can do for you. Given that browser-native ransomware fully operates within the browser, only a browser-native security solution can defend against the attack.
SquareX’s industry-first Browser Detection and Response (BDR) solution detects, mitigates and threat-hunt client-side web attacks targeting employees in real time. The solution comes in the form of a lightweight browser extension that can be deployed to existing browsers via a simple group policy.

  • Web Threat Detection & Mitigation including identity attacks, malicious sites & scripts, malicious browser extensions and malicious files
  • Browser DLP including genAI DLP, clipboard DLP, file DLP and insider attacks
  • Private App Access to provide secure access to web applications and private apps via the browser, including for BYOD/unmanaged devices

SquareX’s BDR can detect and mitigate identity attacks, the initial access point for browser-native ransomware, including malicious extensions, shadow SaaS, OAuth scope management and advanced spearphishing attacks. For more information about SquareX’s BDR, contact us at founder@sqrx.com

Try SquareX Enterprise