SquareX’s research team has discovered browser-native ransomware, a novel class of ransomware that does not involve any file download or malicious code execution in the endpoint, allowing it to completely bypass endpoint security.
Instead of tricking victims into downloading malicious files, like traditional ransomware, this browser-native ransomware attack targets the victim’s digital identity to gain unauthorized access to the victim’s file storage, email and/or local password storage. With the help of AI agents, the attacker can then use this to systematically exfiltrate files and sensitive data stored in SaaS apps, threatening to leak this data should the ransom not be paid.
Critically, attackers can also gain access to all shared drives, including those shared by colleagues, customers and other third parties. This significantly expands the attack surface of browser-native ransomware – where the impact of most traditional ransomware is confined to a single device, all it takes is one employee’s mistake for attackers to gain full access to enterprise wide resources.
With the rise of cloud and SaaS platforms, the device itself is no longer the main gateway to valuable data. Instead, the browser has become the central way through which employees use to work and engage with the internet. As a result, attackers are shifting their focus to target the browser — where the majority of work is now being done and stored.
As the browser becomes the new endpoint, SquareX is already seeing early evidence that browser-native ransomware is the future of ransomware which EDRs completely cannot detect, leaving millions of organizations at risk.
