RøB: ransomware over modern web browsers
AUTHORs: 
Harun Oz, Ahmet Aris, Abbas Acar, Güliz Seray Tuncay, Leonardo Babun, Selcuk UluagacAuthors Info & Claims
Harun Oz, Ahmet Aris, Abbas Acar, Güliz Seray Tuncay, Leonardo Babun, Selcuk UluagacAuthors Info & ClaimsArticle No.: 396, Pages 7073 - 7090
Abstract
File System Access (FSA) API enables web applications to interact with files on the users' local devices. Even though it can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries to cause significant harm. In this paper, for the first time in the literature, we extensively study this new attack vector that can be used to develop a powerful new ransomware strain over a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware called RØB as a malicious web application that encrypts the user's files from the browser. We use RØB to perform impact analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it. Our evaluations show that RØB can encrypt the victim's local files including cloud-integrated directories, external storage devices, and network-shared folders regardless of the access limitations imposed by the API. Moreover, we evaluate and show how the existing defense solutions fall short against RØB in terms of their feasibility. We propose three potential defense solutions to mitigate this new attack vector. These solutions operate at different levels (i.e., browser-level, file-system-level, and user-level) and are orthogonal to each other. Our work strives to raise awareness of the dangers of RØB-like browser-based ransomware strains and shows that the emerging API documentation (i.e., the popular FSA) can be equivocal in terms of reflecting the extent of the threat.
References
[1]
"Puppeteer," https://pptr.dev/, 2023.
[2]
"Enigma," https://github.com/cubbit/enigma, 2019.
[3]
"Version history overview," https://help.dropbox.com/files-folders/restore-delete/version-history-overview, 2020.
[4]
"The file system access api with origin private file system," https://webkit.org/blog/12257/the-file-system-access-api-with-origin-private-file-system/, 2022.
[5]
"Kaspersky total security," https://usa.kaspersky.com/total-security, 2022.
[6]
"Protecting against consent phishing," https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/protect-against-consent-phishing, 2022.
[7]
"Browser market share worldwide," https://gs.statcounter.com/browser-market-share, 2023.
[8]
"Can i use file system access api?" https://caniuse.com/native-filesystem-api, 2023.
[9]
"Project fugu api showcase," https://developer.chrome.com/blog/fugu-showcase/?api=file-system-access, 2023.
[10]
"View activity & file versions," https://support.google.com/drive/answer/2409045, 2023.
[11]
"Visual studio code," https://vscode.dev/, 2023.
[12]
D. Akhawe and A. P. Felt, "Alice in warningland: A Large-Scale field study of browser security warning effectiveness," in 22nd USENIX Security Symposium, 2013.
[13]
B. Al-rimy, M. Maarof, Y. Prasetyo, M. M. S. Z. Syed, Shaid, and A. F. M. Ariffin, "Zero-day aware decision fusion-based model for crypto-ransomware early detection," International Journal of Integrated Engineering, 2018.
[14]
O. M. K. Alhawi, J. Baldwin, and A. Dehghantanha, "Leveraging machine learning techniques for windows ransomware network traffic detection," in Cyber Threat Intelligence, 2018.
[15]
Avast, "Avast one essential protection for your life today," https://www.avast.com/en-us/avast-one#pc, 2022.
[16]
AVG, "Get free antivirus that's trusted by experts," https://www.avg.com/en-us/homepage#pc, 2022.
[17]
S. Bhansali, A. Aris, A. Acar, H. Oz, and A. S. Uluagac, "A first look at code obfuscation for webassembly," in Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2022.
[18]
J. P. Bigham, I. Lin, and S. Savage, "The effects of "not knowing what you don't know" on web accessibility for blind web users," in Proceedings of the 19th International Conference on Computers and Accessibility, 2017.
[19]
Brave, "Remove support for native file system api," https://github.com/brave/brave-browser/issues/11407#issuecomment-851742821, 2019.
[20]
C. Bravo-Lillo, S. Komanduri, L. F. Cranor, R. W. Reeder, M. Sleeper, J. Downs, and S. Schechter, "Your attention please: Designing security-decision uis to make genuine risks harder to ignore," in Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013.
[21]
K. Cabaj, M. Gregorczyk, and W. Mazurczyk, "Software-defined networking-based crypto ransomware detection using http traffic characteristics," Computers and Electrical Engineering, 2018.
[22]
K. Cabaj and W. Mazurczyk, "Using software-defined networking for ransomware mitigation: The case of cryptowall," IEEE Network, 2016.
[23]
Y. Chen, Y. Gao, N. Ceccio, R. Chatterjee, K. Fawaz, and E. Fernandes, "Experimental security analysis of the app model in business collaboration platforms," in 31st USENIX Security Symposium, 2022.
[24]
Chromium, "File system access web api - chromium security model - google docs," https://docs.google.com/document/d/1NJFd-EWdUlQ7wVzjqcgXewqC5nzv_qII4OvlDtK6SE8/edit, 2023.
[25]
A. Continella, A. Guagnelli, G. Zingaro, G. Pasquale, A. Barenghi, S. Zanero, and F. Maggi, "Shieldfs: A selfhealing, ransomware-aware filesystem," in Proceedings of the 32nd Annual Conference on Computer Security Applications, 2016.
[26]
M. Egele, T. Scholte, E. Kirda, and C. Kruegel, "A survey on automated dynamic malware-analysis techniques and tools," ACM Comput. Surv., 2008.
[27]
A. A. E. Elhadi, M. A. Maarof, and B. I. Barry, "Improving the detection of malware behaviour using simplified data dependent api call graph," International Journal of Security and Its Applications, 2013.
[28]
FBI, "Spoofing and phishing," https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/spoofing-and-phishing, 2023.
[29]
A. P. Felt, S. Egelman, D. A. Matthew Finifter, and D.Wagner, "How to ask for permission," in 7th USENIX Workshop on Hot Topics in Security, 2012.
[30]
A. P. Felt, R. W. Reeder, A. Ainslie, H. Harris, M. Walker, C. Thompson, M. E. Acer, E. Morant, and S. Consolvo, "Rethinking connection security indicators," in Twelfth Symposium on Usable Privacy and Security, 2016.
[31]
S. Garfinkel, P. Farrell, V. Roussev, and G. Dinolt, "Bringing science to digital forensics with standardized forensic corpora," digital investigation, 2009.
[32]
X. Han, J. Xiong, W. Shen, Z. Lu, and Y. Liu, "Location heartbleeding: The rise of wi-fi spoofing attack via geolocation api," in ACM SIGSAC Conference on Computer and Communications Security, 2022.
[33]
J. Huang, J. Xu, X. Xing, P. Liu, and M. K. Qureshi, "Flashguard: Leveraging intrinsic flash properties to defend against encryption ransomware," in ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2017.
[34]
L.-S. Huang, A. Moshchuk, H. J. Wang, S. Schecter, and C. Jackson, "Clickjacking: Attacks and defenses," in 21st USENIX Security Symposium, 2012.
[35]
J. Hwang, J. Kim, S. Lee, and K. Kim, "Two-stage ransomware detection using dynamic analysis and machine learning techniques," Wireless Personal Communications, 2020.
[36]
Y. Javed and M. Shehab, "Investigating the animation of application permission dialogs: A case study of facebook," in Data Privacy Management and Security Assurance, G. Livraga, V. Torra, A. Aldini, F. Martinelli, and N. Suri, Eds., 2016.
[37]
B. Jethva, I. Traoré, A. Ghaleb, K. Ganame, and S. Ahmed, "Multilayer ransomware detection using grouped registry key operations, file entropy and file signature monitoring," Journal of Computer Security, 2019.
[38]
A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, "UNVEIL: A large-scale, automated approach to detecting ransomware," in 25th USENIX Security Symposium, 2016.
[39]
A. Kharraz and E. Kirda, "Redemption: Real-time protection against ransomware at end-hosts," in Research in Attacks, Intrusions, and Defenses. Springer International Publishing, 2017.
[40]
E. Kolodenker, W. Koch, G. Stringhini, and M. Egele, "Paybreak: Defense against cryptographic ransomware," in Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, 2017.
[41]
N. Kshetri, "The economics of click fraud," IEEE Security Privacy, 2010.
[42]
Malwarebytes, "Malwarebytes browser guard," https://www.malwarebytes.com/browserguard, 2023.
[43]
Malwarebytes, "Malwarebytes premium for windows," https://www.malwarebytes.com/premium, 2023.
[44]
F. Martinelli, F. Mercaldo, C. Michailidou, and A. Saracino, "Phylogenetic analysis for ransomware detection and classification into families," in ICETE, 2018.
[45]
M. Medhat, S. Gaber, and N. Abdelbaki, "A new static-based framework for ransomware detection," 2018 IEEE 16th Intl Conf. Congress, 2018.
[46]
S. Mehnaz, A. Mudgerikar, and E. Bertino, "Rwguard: A real-time detection system against cryptographic ransomware," in Research in Attacks, Intrusions, and Defenses, 2018.
[47]
J. Modi, I. Traore, A. Ghaleb, K. Ganame, and S. Ahmed, "Detecting ransomware in encrypted web traffic," in Foundations and Practice of Security, 2020.
[48]
Mozilla, "Mozilla specification positions," https://mozilla.github.io/standards-positions/#file-system-access, 2022.
[49]
J. Muñoz-Arteaga, R. M. González, M. V. Martin, J. Vanderdonckt, and F. Álvarez Rodríguez, "A methodology for designing information security feedback based on user interface patterns," Advances in Engineering Software, 2009.
[50]
OneDrive, "Restore a previous version of a file stored in onedrive," https://support.microsoft.com/en-us/office/restore-a-previous-version-of-a-file-stored-in-one-drive-159cad6d-d76e-4981-88ef-de6e96c93893, 2021.
[51]
O. Or-Meir, N. Nissim, Y. Elovici, and L. Rokach, "Dynamic malware analysis in the modern era--a state of the art survey," ACM Comput. Surv., 2019.
[52]
H. Oz, A. Aris, A. Levi, and A. S. Uluagac, "A survey on ransomware: Evolution, taxonomy, and defense solutions," ACM Comput. Surv., 2022.
[53]
H. Oz, F. Naseem, A. Aris, A. Acar, G. S. Tuncay, and A. S. Uluagac, "Poster: Feasibility of malware visualization techniques against adversarial machine learning attacks," in 43rd IEEE Symposium on Security and Privacy (S&P), 2022.
[54]
N. Scaife, H. Carter, P. Traynor, and K. R. B. Butler, "Cryptolock (and drop it): Stopping ransomware attacks on user data," in IEEE 36th International Conference on Distributed Computing Systems), 2016.
[55]
Y. Tian, Y. C. Liu, A. Bhosale, L. S. Huang, P. Tague, and C. Jackson, "All your screens are belong to us: Attacks exploiting the html5 screen sharing api," in IEEE Symposium on Security and Privacy, 2014.
[56]
Trendmicro, "Antivirus+ security," https://www.trendmicro.com/en_me/forHome/products/antivirus-plus.html, 2022.
[57]
A. van der Heijden and L. Allodi, "Cognitive triaging of phishing attacks," in 28th USENIX Security Symposium, 2019.
[58]
E. von Zezschwitz, S. Chen, and E. Stark, ""it builds trust with the customers" - exploring user perceptions of the padlock icon in browser ui," ser. IEEE Security and Privacy Workshops. IEEE Computer Society, 2022.
[59]
W3C, "File system access," https://github.com/WICG/file-system-access, 2023.
[60]
W3C, "File system access," https://wicg.github.io/file-system-access/, 2023.
[61]
W3C, "File system access," https://wicg.github.io/file-system-access/#security-ransomware, 2023.
[62]
M. Weeks, "Internal affairs: Hacking file system access from the web," https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Internal-Affairs-Hacking-File-System-Access-From-The-Web.pdf, 2021.
[63]
L. Zeng, Y. Xiao, and H. Chen, "Linux auditing: Overhead and adaptation," in IEEE International Conference on Communications (ICC), 2015.
[64]
B. Zhang, W. Xiao, X. Xiao, A. K. Sangaiah, W. Zhang, and J. Zhang, "Ransomware classification using patch-based cnn and self-attention network on embedded ngrams of opcodes," Future Generation Computer Systems, 2020.
[65]
J. Zhou, M. Hirose, Y. Kakizaki, and A. Inomata, "Evaluation to classify ransomware variants based on correlations between apis," in 6th International Conference on Information Systems Security and Privacy, 2020.
Recommendations
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
The role of web hosting providers in detecting compromised websites
WWW '13: Proceedings of the 22nd international conference on World Wide WebCompromised websites are often used by attackers to deliver malicious content or to host phishing pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little security ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023 The USENIX Association.
Sponsors
- Meta
- Google Inc.
- NSF
- IBM
- Futurewei Technologies
Publisher
USENIX Association
United States
Publication History
Published: 09 August 2023
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 28 Jan 2025