With a growing number of applications that can run on browsers, we might soon see a large-scale ransomware campaign without hackers even touching a device, a report warns.
Ransomware attacks have become one of the most prevalent cybersecurity threats. According to cybersecurity company Cyentia, they have generated $276 billion in losses over the past five years, similar to Argentina's gross domestic product in 2024.
Historically, ransomware attacks targeted devices since most information was contained in apps or the device itself.
However, the adoption of cloud storage and software as a service (SaaS) solutions, has led to the majority of enterprise workflow and data being created, stored, and shared in the browser. Threat actors have been quick to adapt, with browser-native malware emerging as a new and dangerous risk.
According to a report by cybersecurity company SquareX, there is an asymmetric risk/reward for attackers who target the browser.
Impact of browser-native ransomware
Compared to traditional ransomware, browser-native ransomware is difficult to detect and has more severe implications.
“Browser-native ransomware can target the victim’s identity in any SaaS application, including personal accounts or shadow SaaS apps that are not managed by the security team,” SquareX claims.
It also notes that the existing protection tools work by inspecting malicious files and processes on the device, while browser-native ransomware operates in the browser without involving any file downloads and thus will never trigger any inspection of detection tools.
According to the company, from polymorphic extensions to the recent Cyberhaven breach, which potentially affected two million customers, there have been numerous examples of hackers shifting their focus toward browser-native attacks.
“This also serves as early evidence that attackers are beginning to discover the ‘ingredients’ required for browser-native ransomware and that it is only a matter of time before an intelligent adversary puts these pieces together to conduct the first large-scale ransomware campaign without ever touching the device,” the report reads.
Three scenarios of browser hijacking
In their report, SquareX analyses three hypothetical scenarios of how such an attack could unfold. In reality, the attack can occur in various forms but will generally involve the three steps.
In one example, an attacker gains access to the victim’s Google Drive by mimicking a legitimate app.
The attacker exfiltrates and deletes all files stored in the victim’s Google Drive, including shared drives, and demands a ransom to stop them from leaking sensitive company files.
Similarly, browser-native ransomware could be used to compromise email services.
“Through consent phishing, the attacker can use a malicious app to read the victim’s emails and figure out what SaaS services they are signed up to. Using an AI agent, the attacker then systematically resets the passwords to these apps, logs the victim out, and exfiltrates all data stored in enterprise SaaS apps for ransom,” SquareX claims.
In a third example, a hacker could use browser sync-hacking, where a malicious browser extension can turn the victim’s browser into a managed profile, and the attacker can control the browser.
SquareX says that through Google Workspace’s sync function, all locally stored passwords would be uploaded to the attacker-managed profile, which could be used to gain unauthorized access and exfiltrate data from SaaS applications.
Your email address will not be published. Required fields are markedmarked