1.
Harun Oz, Ahmet Aris, Abbas Acar, Güliz Seray Tuncay, Leonardo Babun, Selcuk Uluagac
RøB: Ransomware over Modern Web Browsers Conference Paper
In the Proceedings of the 32nd USENIX Security Symposium, 2023.
Abstract | Links | BibTeX | Tags: Malware, Ransomware, Web Security
@conference{OZRans2023,
title = {RøB: Ransomware over Modern Web Browsers},
author = {Harun Oz and Ahmet Aris and Abbas Acar and Güliz Seray Tuncay and Leonardo Babun and Selcuk Uluagac},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/oz
https://www.youtube.com/watch?v=MUVNz6p3_jk
https://research.google/pubs/r%C3%B8b-ransomware-over-modern-web-browsers/},
year = {2023},
date = {2023-08-01},
urldate = {2023-08-01},
booktitle = {In the Proceedings of the 32nd USENIX Security Symposium},
abstract = {File System Access (FSA) API enables web applications to interact with files on the users' local devices. Even though it can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries to cause significant harm. In this paper, for the first time in the literature, we extensively study this new attack vector that can be used to develop a powerful new ransomware strain over a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware called RøB as a malicious web application that encrypts the user's files from the browser. We use RøB to perform impact analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it. Our evaluations show that RøB can encrypt the victim's local files including cloud-integrated directories, external storage devices, and network-shared folders regardless of the access limitations imposed by the API. Moreover, we evaluate and show how the existing defense solutions fall short against RøB in terms of their feasibility. We propose three potential defense solutions to mitigate this new attack vector. These solutions operate at different levels (i.e., browser-level, file-system-level, and user-level) and are orthogonal to each other. Our work strives to raise awareness of the dangers of RøB-like browser-based ransomware strains and shows that the emerging API documentation (i.e., the popular FSA) can be equivocal in terms of reflecting the extent of the threat.},
keywords = {Malware, Ransomware, Web Security},
pubstate = {published},
tppubtype = {conference}
}
File System Access (FSA) API enables web applications to interact with files on the users' local devices. Even though it can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries to cause significant harm. In this paper, for the first time in the literature, we extensively study this new attack vector that can be used to develop a powerful new ransomware strain over a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware called RøB as a malicious web application that encrypts the user's files from the browser. We use RøB to perform impact analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it. Our evaluations show that RøB can encrypt the victim's local files including cloud-integrated directories, external storage devices, and network-shared folders regardless of the access limitations imposed by the API. Moreover, we evaluate and show how the existing defense solutions fall short against RøB in terms of their feasibility. We propose three potential defense solutions to mitigate this new attack vector. These solutions operate at different levels (i.e., browser-level, file-system-level, and user-level) and are orthogonal to each other. Our work strives to raise awareness of the dangers of RøB-like browser-based ransomware strains and shows that the emerging API documentation (i.e., the popular FSA) can be equivocal in terms of reflecting the extent of the threat.
2.
Harun Oz, Ahmet Aris, Albert Levi, A. Selcuk Uluagac
A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions Journal Article
ACM Computing Surveys (CSUR), 2022.
Abstract | Links | BibTeX | Tags: Malware, Ransomware
@article{OzSurveyRansomware,
title = {A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions},
author = {Harun Oz and Ahmet Aris and Albert Levi and A. Selcuk Uluagac},
url = {https://doi.org/10.1145/3514229},
year = {2022},
date = {2022-09-01},
urldate = {2022-09-01},
journal = {ACM Computing Surveys (CSUR)},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial losses of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, and is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms},
keywords = {Malware, Ransomware},
pubstate = {published},
tppubtype = {article}
}
In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial losses of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, and is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms
Citations: 8413
h-index: 44
i10-index: 107
