RøB: Ransomware over Modern Web Browsers

Ransomware over Modern Web Browsers

Implementation

Figure 1 shows the system model of the RØB that includes five modules: Backend, Web User Interface (UI), File System Access, Encryption and, Extortion.

Backend Module. This module receives HTTP requests from clients (victims), it creates a public-private key pair and a unique ID for each victim. Keys and victim IDs are stored in its database. Afterward, it sends an HTTP response to the victim, which includes the other components of RØB, client ID, and the generated encryption keys for the client. The keys stored by the Backend module for each client are shared with the ones who make payments for the recovery of their files.

Web User Interface Module. This module includes the contents regarding the look of the website that aims to trick victims to enable RØB to access their local file system. The attacker can design the Web UI component differently depending on the malicious scenario. For example, this module can be designed by the adversary as a media (e.g., picture, video) editor.

File System Access Module. This module contains the necessary logic to interact with the victim’s files from the web application using the FSA API. RØB works in a read-encryptoverwrite loop for every file in the selected directory of the user. Encryption Module. This module includes the functions/modules to encrypt the victim’s files. RØB performs hybrid encryption on the victim files to make recovery attempts impossible for users. In our implementation, this module first generates a symmetric key and encrypts the victim’s files with AES-256. After the encryption of all of the files, it encrypts the AES key with RSA-2048 using the public key that is generated by the Backend module.

Extortion Module. This module redirects the user to the ransom note link that informs the victim about the ransomware attack and gives details regarding the ransom payment method.

                                                                  Fig. 1: System model of RØB ransomware.

(In)Effectiveness of Current Defense Solutions

 The ransomware defense approaches for PCs can be grouped into three categories: 1) Static analysis-based detection methods, 2) Dynamic analysis-based detection methods, and 3) Key extraction-based recovery solutions.

Static Analysis-based Solutions. Many researchers proposed static analysis-based solutions that utilize structural features such as strings and opcodes to detect ransomware. Although those solutions can detect well-known ransomware strains, they are vulnerable to common evasion attempts such as obfuscation. In the concept of browser-based ransomware attacks, the adversaries are free to use any tool available and employ obfuscation techniques to evade all types of static analysis-based tools. Therefore, such solutions are not suitable for browser-based ransomware attacks.

Dynamic Analysis-based Solutions. The dynamic analysisbased solutions use behavioral features such as network activity, API/system calls, I/O access patterns, and file system activity to detect ransomware. First, RØB does not need frequent C&C server communication. In fact, only one HTTP request made to the Backend module of RØB is sufficient for it to be sent in an HTTP response packet and perform its malicious actions. In addition, RØB’s communication is based on HTTP over TCP which is used by almost every benign website and web application. Therefore, the solutions that use network traffic features would struggle to detect RØB. Second, unlike conventional ransomware, RØB can perform malicious actions without being installed on the system. Therefore, it can evade the registry-based solutions. Due to the high computation cost of the malware analysis environments, the ransomware analysis environments such as (albeit was very useful) has become impractical against RØB-like attacks as it is not practical to analyze every website before the visit of a user in such analysis environments. Additionally, ransomware defense solutions such as utilize the features retrieved from the file system activities such as folder listing, files written, read, renamed, and deleted. These defense solutions have been designed by monitoring the file system activities performed by the process of the ransomware executable. Nevertheless, the file system activities of RØB are different from the traditional ransomware defense solution. So, these solutions will not be effective to detect RØB. Furthermore, defense solutions such as include the browser as a benign web application, so that they will introduce a false positive in detecting RØB with their current implementation.

Key Extraction-based Solutions. Some ransomware defense systems use memory forensic techniques to retrieve the keys of the attacker to recover the files. To test the feasibility of key extraction from RØB, we created a Node.js script utilizing puppeteer to periodically capture heap snapshots of the web application. We performed two experiments. First, we ran RØB on a test directory and retrieved two heap snapshots: one during the attack and another afterward. Second, we adjusted our script to continuously capture heap snapshots of RØB every 5 seconds, retrieving a total of 4 different snapshot files. We inspected all output files to search for our predefined key. While we did not encounter the key in the files from our first experiment, we detected the key in a single file from our second experiment. The focus of these experiments was the potential extraction of a raw key during a browser-based ransomware attack. Nevertheless, if the intermediate key representations (e.g., AES T-tables) are detected in the snapshot, it would also be sufficient to enable the recovery of the key as well. Our experiments reveal that extracting the key during a browser-based ransomware attack is feasible, but it is not practical. Firstly, taking heap snapshots (each snapshot is ‘4.8MB) of every website the user is visiting and storing them for further analysis requires a huge memory and may potentially affect the user experience. Additionally, RØB can solely utilize the RSA public key encryption to encrypt each file, potentially evading this type of defense solution.

Potential Defense Solutions

In this study, we propose three different defense solutions that are based on the above-mentioned approaches to mitigate this new attack vector at different levels and we implement a proof-of-concept design for each proposed defense solution. In the next subsection, we first explain the details of these approaches and present proof of concept implementations.

 Approach 1: Malicious Modification Identification via API Hooking. In this approach, we aim to find indicators that would effectively identify malicious modification, hence signal the presence of RØB-like attacks. 

Approach 2: Local Activity Monitoring: Our second approach to prevent RØB-like attacks employs local activity monitoring of web applications that use the FSA API. Such an approach can be implemented to monitor the following local activities: 1) the FSA API function calls, 2) browser process system calls, and 3) file system activities.

Approach 3: New UI Design. In this approach, instead of detecting the malicious activity of RØB, we aim to raise the security awareness of the users and better inform them about the risks of allowing web applications to interact with local files.

Conclusion

In this work, we designed and implemented the first browserbased ransomware – RØB and showed the inefficacy of the underlying FSA API documentation. Our extensive evaluations with 3 different OSs, 29 distinct directories and 5 cloud providers showed that RØB is capable of encrypting numerous types of files in various local directories, cloud-integrated directories, external storage devices, and network-shared folders. As existing ransomware detection systems including commercial antivirus solutions face several issues against RØB due to its distinct features, there was a need to propose a new defense solution against RØB-style attacks. Therefore, we proposed three different defense approaches to mitigate this new attack vector at different levels.

Publications 

@conference{OZRans2023,

title = {RøB: Ransomware over Modern Web Browsers},

author = {Harun Oz and Ahmet Aris and Abbas Acar and Güliz Seray Tuncay and Leonardo Babun and Selcuk Uluagac},

url = {https://www.usenix.org/conference/usenixsecurity23/presentation/oz

https://www.youtube.com/watch?v=MUVNz6p3_jk

https://research.google/pubs/r%C3%B8b-ransomware-over-modern-web-browsers/},

year  = {2023},

date = {2023-08-01},

urldate = {2023-08-01},

booktitle = {In the Proceedings of the 32nd USENIX Security Symposium},

abstract = {File System Access (FSA) API enables web applications to interact with files on the users' local devices. Even though it can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries to cause significant harm. In this paper, for the first time in the literature, we extensively study this new attack vector that can be used to develop a powerful new ransomware strain over a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware called RøB as a malicious web application that encrypts the user's files from the browser. We use RøB to perform impact analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it. Our evaluations show that RøB can encrypt the victim's local files including cloud-integrated directories, external storage devices, and network-shared folders regardless of the access limitations imposed by the API. Moreover, we evaluate and show how the existing defense solutions fall short against RøB in terms of their feasibility. We propose three potential defense solutions to mitigate this new attack vector. These solutions operate at different levels (i.e., browser-level, file-system-level, and user-level) and are orthogonal to each other. Our work strives to raise awareness of the dangers of RøB-like browser-based ransomware strains and shows that the emerging API documentation (i.e., the popular FSA) can be equivocal in terms of reflecting the extent of the threat.},

keywords = {},

pubstate = {published},

tppubtype = {conference}

}

@article{OzSurveyRansomware,

title = {A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions},

author = {Harun Oz and Ahmet Aris and Albert Levi and A. Selcuk Uluagac},

url = {https://doi.org/10.1145/3514229},

year  = {2022},

date = {2022-09-01},

urldate = {2022-09-01},

journal = {ACM Computing Surveys (CSUR)},

publisher = {Association for Computing Machinery},

address = {New York, NY, USA},

abstract = {In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial losses of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, and is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms},

keywords = {},

pubstate = {published},

tppubtype = {article}

}

@conference{ShrenikCodeObfus,

title = {A First Look at Code Obfuscation for WebAssembly},

author = {Shrenik Bhansali and Ahmet Aris and Abbas Acar and Harun Oz and Selcuk Uluagac},

url = {https://doi.org/10.1145/3507657.3528560},

year  = {2022},

date = {2022-01-01},

urldate = {2022-01-01},

booktitle = {In the Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) },

abstract = {WebAssembly (Wasm) has seen a lot of attention lately as it spreads through the mobile computing domain and becomes the new standard for performance-oriented web development. It has diversified its uses far beyond just web applications by acting as an execution environment for mobile agents, containers for IoT devices, and enabling new serverless approaches for edge computing. Within the numerous uses of Wasm, not all of them are benign. With the rise of Wasm-based cryptojacking malware, analyzing Wasm applications has been a hot topic in the literature, resulting in numerous Wasm-based cryptojacking detection systems. Many of these methods rely on static analysis, which traditionally can be circumvented through obfuscation. However, the feasibility of the obfuscation techniques for Wasm programs has never been investigated thoroughly. In this paper, we address this gap and perform the first look at code obfuscation for Wasm. We apply numerous obfuscation techniques to Wasm programs, and test their effectiveness in producing a fully obfuscated Wasm program. Particularly, we obfuscate both benign Wasm-based web applications and cryptojacking malware instances and feed them into a state-of-the-art Wasm cryptojacking detector to see if current Wasm analysis methods can be subverted with obfuscation. Our analysis shows that obfuscation can be highly effective and can cause even a state-of-the-art detector to misclassify the obfuscated Wasm samples.



},

keywords = {},

pubstate = {published},

tppubtype = {conference}

}

Media Coverage

Will be updated soon.