Full Report
AI can turn high-level malicious ideas into concrete techniques, and can independently design and implement novel attack paths that have not yet appeared in real-world campaigns. In Check Point’s research, DeepSeek connected unrealistic browser-malware concepts with a real browser capability, turning an AI-generated malware hallucination into a plausible browser-native ransomware technique. Although the generated sample…
Analysis Summary
# Tool/Technique: Browser-Native Ransomware (via File System Access API)
## Overview
This technique represents a novel, "payload-less" ransomware approach discovered through AI-driven research. It leverages legitimate web browser capabilities to encrypt files directly on a user's device without requiring traditional malware installation, exploits, or root privileges. The technique was conceptualized by the LLM DeepSeek, which bridged the gap between a theoretical "hallucination" and a practical attack using the modern File System Access API.
## Technical Details
- **Type:** Technique / Browser-Native Malware
- **Platform:** Modern Web Browsers (specifically Google Chrome on Android and Desktop)
- **Capabilities:** Direct file system read/write access, encryption of personal directories (e.g., photos), and social engineering-driven permission bypass.
- **First Seen:** July 2026 (Research publication date)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1566 - Phishing]**: Using social engineering to lure victims to a malicious webpage.
- **[TA0002 - Execution]**
- **[T1204.001 - User Execution: Malicious Link]**: Victim must navigate to the site and interact with prompts.
- **[TA0040 - Impact]**
- **[T1486 - Data Encrypted for Impact]**: Utilizing browser APIs to encrypt files in high-value directories.
## Functionality
### Core Capabilities
- **API Abuse:** Utilizes the legitimate **File System Access API** to gain handles on local files and directories.
- **Directory Access:** Specifically targets high-value personal data stores, such as the "Photos" or "DCIM" directories on Android.
- **In-Browser Encryption:** Executes encryption logic entirely within the browser's JavaScript engine, requiring no external binary or APK.
### Advanced Features
- **AI-Designed Logic:** The attack path was designed by an LLM (DeepSeek), which identified that while a browser cannot "hack" the system, it can "ask" for permission to modify files through standard web standards.
- **No-Footprint Infection:** Does not require a native payload, making it invisible to traditional file-based antivirus scanners.
## Indicators of Compromise
- **File Hashes:** N/A (Technique is script-based and dynamic).
- **File Names:** Files may be renamed with common ransomware extensions (e.g., .locked, .encrypted).
- **Registry Keys:** N/A.
- **Network Indicators:**
- Traffic to malicious domains hosting the script: `[malicious-domain].tld` (defanged).
- C2 communication for key exchange via WebSockets or HTTPS.
- **Behavioral Indicators:**
- Browser displaying a "Save Changes?" or "Allow site to edit files?" permission prompt unexpectedly.
- High CPU usage within a single browser tab (indicative of encryption).
## Associated Threat Actors
- **Research-based (Check Point Research):** Currently a proof-of-concept/emerging threat identified via AI capability testing. No specific APT group has been linked to real-world campaigns yet.
## Detection Methods
- **Behavioral Detection:** Monitoring for browsers requesting extensive write access to sensitive directories via the File System Access API.
- **Web Content Filtering:** Identifying and blocking known malicious domains hosting the ransomware script.
- **EDR/XDR:** Detecting mass file modification events (rename/write) originating from a browser process (e.g., `chrome.exe` or Android Chrome).
## Mitigation Strategies
- **User Education:** Training users to never grant "Edit" or "File Access" permissions to untrusted or unfamiliar websites.
- **Browser Hardening:** Disabling the File System Access API via Enterprise Policy if not required for business functions.
- **Android Security:** Ensuring devices are updated, though the article notes this relies on legitimate API features rather than unpatched vulnerabilities.
## Related Tools/Techniques
- **[T1189 - Drive-by Compromise]**
- **Man-in-the-Browser (MitB)**
- **File System Access API (Legitimate Web Standard)**