RøB: Ransomware over Modern Web Browsers

 

The developers of web browsers spend significant effort on enhancing browsers by continuously adding new technologies. Web application developers take advantage of these technologies by offering new functionalities that previously could be performed only by native applications. One such technology is the File System Access (FSA) API , which has been developed by the Web Platform Incubator Community Group. It enables web applications to interact with the users’ local file systems.

Even though the FSA API can be used to develop powerful web applications, it can also be abused by adversaries to develop a novel ransomware strain as a web application that encrypts the user’s files from the browser. Such an attack would effortlessly be performed by an adversary who designs a seemingly benign web application and uses malicious tactics (i.e., phishing, malvertisement) to trick the user to grant access to their sensitive portions of the local file system. Despite the briefly mentioned risks of ransomware in the FSA API documentation, the deployed countermeasure in its current form (i.e., hard-coded blocking system-sensitive directories) is not effective to protect sensitive user files on non-system directories, subdirectories of the systems-sensitive directories, or any other directories such as cloud-integrated directories, external directories or network-shared folders. More importantly, no prior works investigated the detailed impact analysis of this new threat vector. In this work, we implemented a novel browser-based ransomware, namely RØB – Ransomware over Browser, that performs its malicious actions via the emerging web technologies, the FSA API and WebAssembly (Wasm). Although the security model of the FSA API suggests restricting access to some of the system directories (e.g., file system root, user’s home, operating system), our experiments reveal that RØB can still encrypt files in user directories, data partitions, external storage devices (e.g., flash drives), shared network volumes, and cloud-integrated directories, making the suggested defense mechanism by the FSA API developers futile.

Antivirus (AV) software often detects ransomware by monitoring sensitive folders and identifying suspicious behaviors on the victim’s computer. We performed an extensive analysis with commercial antivirus (AV) solutions such as AVG, Kaspersky, Avast, Malware Bytes, and TrendMicro. We found RØB can evade all these AVs. In addition to AVs, many highly accurate ransomware defense studies exist in the literature such as detection systems that employ static analysis or dynamic analysis features. We examine their effectiveness against RØB-like ransomware; however, they, unfortunately, fail to detect RØB due to the distinct features such as not requiring any installation, running within the browser, and using Wasm-based encryption libraries. Hence, there is a need for a new solution that can effectively tackle browser-based ransomware attacks.

We propose three potential defense solutions at different levels (i.e., browser-level, file-system-level, and user-level). Our first solution, namely malicious modification identification, monitors the FSA API to detect malicious modifications of RØB-like attacks before they overwrite the victim’s local files. Our second approach, namely local activity monitoring, monitors the browser’s local activity (e.g., read and write function/API calls, file system activities) to detect the potential patterns of ransomware. Our third solution aims to increase the (in)security awareness of users via a new UI design for the FSA’s permission dialog boxes. Unlike the existing dialog boxes of FSA API, the new dialog boxes we present inform users about the risks and implications of allowing web applications that utilize FSA API to interact with local files. These three proposed approaches are crucial to providing solutions to mitigate this new attack vector at different levels; however, neither of them is a panacea on its own due to the distinct features of this new attack vector. More research effort is needed to enable web applications to interact with local files in a secure manner.

 

Ransomware over Modern Web Browsers

 

Implementation

Figure 1 shows the system model of the RØB that includes five modules: Backend, Web User Interface (UI), File System Access, Encryption and, Extortion.

Backend Module. This module receives HTTP requests from clients (victims), it creates a public-private key pair and a unique ID for each victim. Keys and victim IDs are stored in its database. Afterward, it sends an HTTP response to the victim, which includes the other components of RØB, client ID, and the generated encryption keys for the client. The keys stored by the Backend module for each client are shared with the ones who make payments for the recovery of their files.

Web User Interface Module. This module includes the contents regarding the look of the website that aims to trick victims to enable RØB to access their local file system. The attacker can design the Web UI component differently depending on the malicious scenario. For example, this module can be designed by the adversary as a media (e.g., picture, video) editor.

File System Access Module. This module contains the necessary logic to interact with the victim’s files from the web application using the FSA API. RØB works in a read-encryptoverwrite loop for every file in the selected directory of the user. Encryption Module. This module includes the functions/modules to encrypt the victim’s files. RØB performs hybrid encryption on the victim files to make recovery attempts impossible for users. In our implementation, this module first generates a symmetric key and encrypts the victim’s files with AES-256. After the encryption of all of the files, it encrypts the AES key with RSA-2048 using the public key that is generated by the Backend module.

Extortion Module. This module redirects the user to the ransom note link that informs the victim about the ransomware attack and gives details regarding the ransom payment method.

Proviz-1-a

 

 

 

 

 

 

 

 

 

 

                                                                  Fig. 1: System model of RØB ransomware.

 

 

(In)Effectiveness of Current Defense Solutions

 The ransomware defense approaches for PCs can be grouped into three categories: 1) Static analysis-based detection methods, 2) Dynamic analysis-based detection methods, and 3) Key extraction-based recovery solutions.

Static Analysis-based Solutions. Many researchers proposed static analysis-based solutions that utilize structural features such as strings and opcodes to detect ransomware. Although those solutions can detect well-known ransomware strains, they are vulnerable to common evasion attempts such as obfuscation. In the concept of browser-based ransomware attacks, the adversaries are free to use any tool available and employ obfuscation techniques to evade all types of static analysis-based tools. Therefore, such solutions are not suitable for browser-based ransomware attacks.

Dynamic Analysis-based Solutions. The dynamic analysisbased solutions use behavioral features such as network activity, API/system calls, I/O access patterns, and file system activity to detect ransomware. First, RØB does not need frequent C&C server communication. In fact, only one HTTP request made to the Backend module of RØB is sufficient for it to be sent in an HTTP response packet and perform its malicious actions. In addition, RØB’s communication is based on HTTP over TCP which is used by almost every benign website and web application. Therefore, the solutions that use network traffic features would struggle to detect RØB. Second, unlike conventional ransomware, RØB can perform malicious actions without being installed on the system. Therefore, it can evade the registry-based solutions. Due to the high computation cost of the malware analysis environments, the ransomware analysis environments such as (albeit was very useful) has become impractical against RØB-like attacks as it is not practical to analyze every website before the visit of a user in such analysis environments. Additionally, ransomware defense solutions such as utilize the features retrieved from the file system activities such as folder listing, files written, read, renamed, and deleted. These defense solutions have been designed by monitoring the file system activities performed by the process of the ransomware executable. Nevertheless, the file system activities of RØB are different from the traditional ransomware defense solution. So, these solutions will not be effective to detect RØB. Furthermore, defense solutions such as include the browser as a benign web application, so that they will introduce a false positive in detecting RØB with their current implementation.

Key Extraction-based Solutions. Some ransomware defense systems use memory forensic techniques to retrieve the keys of the attacker to recover the files. To test the feasibility of key extraction from RØB, we created a Node.js script utilizing puppeteer to periodically capture heap snapshots of the web application. We performed two experiments. First, we ran RØB on a test directory and retrieved two heap snapshots: one during the attack and another afterward. Second, we adjusted our script to continuously capture heap snapshots of RØB every 5 seconds, retrieving a total of 4 different snapshot files. We inspected all output files to search for our predefined key. While we did not encounter the key in the files from our first experiment, we detected the key in a single file from our second experiment. The focus of these experiments was the potential extraction of a raw key during a browser-based ransomware attack. Nevertheless, if the intermediate key representations (e.g., AES T-tables) are detected in the snapshot, it would also be sufficient to enable the recovery of the key as well. Our experiments reveal that extracting the key during a browser-based ransomware attack is feasible, but it is not practical. Firstly, taking heap snapshots (each snapshot is ‘4.8MB) of every website the user is visiting and storing them for further analysis requires a huge memory and may potentially affect the user experience. Additionally, RØB can solely utilize the RSA public key encryption to encrypt each file, potentially evading this type of defense solution.

 

 

Potential Defense Solutions

 

In this study, we propose three different defense solutions that are based on the above-mentioned approaches to mitigate this new attack vector at different levels and we implement a proof-of-concept design for each proposed defense solution. In the next subsection, we first explain the details of these approaches and present proof of concept implementations.

 Approach 1: Malicious Modification Identification via API Hooking. In this approach, we aim to find indicators that would effectively identify malicious modification, hence signal the presence of RØB-like attacks. 

Approach 2: Local Activity Monitoring: Our second approach to prevent RØB-like attacks employs local activity monitoring of web applications that use the FSA API. Such an approach can be implemented to monitor the following local activities: 1) the FSA API function calls, 2) browser process system calls, and 3) file system activities.

Approach 3: New UI Design. In this approach, instead of detecting the malicious activity of RØB, we aim to raise the security awareness of the users and better inform them about the risks of allowing web applications to interact with local files.

 

 

Conclusion

 

In this work, we designed and implemented the first browserbased ransomware – RØB and showed the inefficacy of the underlying FSA API documentation. Our extensive evaluations with 3 different OSs, 29 distinct directories and 5 cloud providers showed that RØB is capable of encrypting numerous types of files in various local directories, cloud-integrated directories, external storage devices, and network-shared folders. As existing ransomware detection systems including commercial antivirus solutions face several issues against RØB due to its distinct features, there was a need to propose a new defense solution against RØB-style attacks. Therefore, we proposed three different defense approaches to mitigate this new attack vector at different levels.

 

 

 

 

 

 

 

 

Harun Oz
Graduate Research Asisstant
Ahmet Aris
Post Doctoral Associate
Abbas Acar
Post Doctoral Associate
Güliz Seray Tuncay
Senior Research Scientist
Leonardo Babun
Senior Research Scientist
Selcuk Uluagac
Eminent Scholar Chaired Professor

Publications 


2023

Oz, Harun; Aris, Ahmet; Acar, Abbas; Tuncay, Güliz Seray; Babun, Leonardo; Uluagac, Selcuk

RøB: Ransomware over Modern Web Browsers Conference Paper

In the Proceedings of the 32nd USENIX Security Symposium, 2023.

Abstract | Links | BibTeX

2022

Oz, Harun; Aris, Ahmet; Levi, Albert; Uluagac, A. Selcuk

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions Journal Article

ACM Computing Surveys (CSUR), 2022.

Abstract | Links | BibTeX

Bhansali, Shrenik; Aris, Ahmet; Acar, Abbas; Oz, Harun; Uluagac, Selcuk

A First Look at Code Obfuscation for WebAssembly Conference Paper

In the Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) , 2022.

Abstract | Links | BibTeX


Media Coverage

Will be updated soon.

 

 

This work was partially supported by the US National Science Foundation, Cyber Florida, and Google ASPIRE Program. The views expressed are those of the authors only, not of the funding agencies.