Ransomware can hide in the websites you upload files to

FIU cybersecurity researchers warn websites that request access to your files might be able to bypass antivirus software and carry out major ransomware attacks.

Free photo editors, tax document assistants and other online apps that ask for permission to access your media can encrypt files and effectively take control of them, an FIU College of Engineering and Computing study shows. These attackers could then demand ransom in exchange for the files’ safe return.

The researchers say that the hack works on all three major PC operating systems: Windows, Linux and Mac OS. Some cloud services such as Apple Cloud, Box, Google Drive, OneDrive and Dropbox are also susceptible, as well as external drives.

Just two things are needed for a malicious website to conduct the attack.

1. A person needs to say, ‘yes’ to a pop-up that asks them to share their files, such as ‘Allow this website to access your photos?’
2. Someone must click, ‘yes,’ on a second pop-up, which is the attack. The pop-up will be disguised as a benign message, such as an advertisement or a request like, ‘May we close the rest of your tabs for you?’

Clicking ‘yes’ on these two pop-ups is all too easy, says Selcuk Uluagac, principal investigator of the research and Knight Foundation School of Computing and Information Sciences professor.

"Antivirus software systems allow these attacks because it is normal for them to give browsers access to files,” Uluagac said. “They don’t detect that anything is wrong.”

The research was conducted in collaboration with Google senior research scientist Güliz Seray Tuncay and published in the proceedings of the 32nd USENIX Security Symposium, which is a top-tier cybersecurity conference according to Google Scholar. 

“Everybody knows not to download a suspicious file. Now we are finding that it can be just as dangerous to upload a file,” said Harun Oz, a Ph.D. student on the research team.

These hacks are possible due to the increasing power of web browsers, researchers say.

“Browsers have become much more powerful over time,” said Abbas Acar, a postdoctoral researcher on the cybersecurity team. “They can access our cameras, our files, our locations and even our battery status if we give them permission to do so.”

These 'browser powers’ usually make being online more convenient and enjoyable. They make it easier to carry out everyday tasks. These capabilities are known in the tech world as APIs (application programming interfaces), and they have become integral to today’s internet ecosystem.

The FIU research is groundbreaking because it exposes the hazards behind one of the most universally used APIs: file-sharing. Since these programs are nearly ubiquitous and normally considered harmless by antivirus software systems, ransomware attacks conducted through them can be difficult to catch.

The FIU researchers explored solutions that could be implemented to protect users against this ransomware threat. They proposed three main ideas:

1. a defense solution built into the browser that stops an attempted encryption,
2. an app built into the computer that monitors files to see if they are about to be encrypted, and
3. a notification system built into the browser that warns users against possible threats.

Uluagac adds that the FIU team conducted the research with their own proof-of-concept design model and did not take advantage of any websites ‘in the wild,’ but he warns that, “Everyone should be aware that this powerful ransomware threat could be out there.”

The team hopes to extend the research to smartphones in the future. Read more about the research.