SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk

PALO ALTO, Calif., March 28,
2025 - From WannaCry to the MGM Resorts Hack, ransomware remains one of the
most damaging cyberthreats to plague enterprises. Chainalysis estimates that
corporations spend nearly $1 billion dollars on ransom each year, but the
greater cost often comes from the reputational damage and operational
disruption caused by the attack.
Ransomware attacks typically
involve tricking victims into downloading and installing the ransomware, which
copies, encrypts and/or deletes critical data on the device, only to be
restored upon the ransom payment. Traditionally, the primary target of ransomware
has been the victim’s device. However, thanks to the proliferation of the cloud
and SaaS services, the device no longer holds the keys to the kingdom. Instead,
the browser has become the primary way through which employees conduct work and
interact with the internet. In other words, the browser is becoming the new
endpoint.
SquareX has been disclosing
major browser vulnerabilities like Polymorphic Extensions and Browser
Syncjacking, and is now issuing a strong warning on the emergence of
browser-native ransomware. SquareX’s founder, Vivek Ramachandran cautions,
“With the recent surge in browser-based identity attacks like the one we saw
with the Chrome Store OAuth attack, we are beginning to see evidence of the
‘ingredients’ of browser-native ransomwares being used by adversaries. It is
only a matter of time before one smart attacker figures out how to put all the
pieces together. While EDRs and Anti-Viruses have played an unquestionably
vital role in defending against traditional ransomware, the future of
ransomware will no longer involve file downloads, making a browser-native
solution a necessity to combat browser-native ransomwares.”
Unlike traditional ransomware,
browser-native ransomware requires no file download, rendering them completely
undetectable by endpoint security solutions. Rather, this attack targets the
victim's digital identity, taking advantage of the widespread shift toward
cloud-based enterprise storage and the fact that browser-based authentication
is the primary gateway to accessing these resources. In the case studies
demonstrated by SquareX, these attacks leverage AI agents to automate the
majority of the attack sequence, requiring minimal social engineering and
interference from the attacker.
One potential scenario
involves social engineering a user into granting a fake productivity tool
access to their email, through which it can identify all the SaaS applications
the victim is registered with. It can then systematically reset the password of
these apps with AI agents, logging the users out on their own and holding
enterprise data stored on these applications hostage.
Similarly, the attacker can
also target file sharing services like GoogleDrive, Dropbox and OneDrive, using
the victim’s identity to copy out and delete all files stored under their
account. Critically, attackers can also gain access to all shared drives,
including those shared by colleagues, customers and other third parties. This
significantly expands the attack surface of browser-native ransomware - where
the impact of most traditional ransomware is confined to a single device, all
it takes is one employee’s mistake for attackers to gain full access to
enterprise wide resources.
As less and less files are
being downloaded, it is inevitable for attackers to follow where work and
valuable data is being created and stored. As browsers become the new endpoint,
it is crucial for enterprises to reconsider their browser security strategy -
just as EDRs were critical to defend against file-based ransomware, a
browser-native solution with a deep understanding of client-side application
layer identity attacks will become essential in combating the next generation
of ransomware attacks.
To learn more about this
security research, visit
https://sqrx.com/browser-native-ransomware
About SquareX:
SquareX’s industry-first
Browser Detection and Response (BDR) solution helps organizations detect,
mitigate and threat-hunt client-side web attacks happening against their users
in real time. In addition to browser ransomware, SquareX also protects against
various browser threats including identity attacks, malicious extensions,
advanced spearphishing, GenAI DLP and insider threats.
The browser-native ransomware
disclosure is part of the Year of Browser Bugs project. Every month, SquareX’s
research team releases a major web attack that focuses on architectural
limitations of the browser and incumbent security solutions. Previously disclosed
attacks include Browser Syncjacking and Polymorphic Extensions.
To learn more about SquareX’s
BDR, contact us at founder@sqrx.com.