top of page
Search

Browser-Based Ransomware: The Emerging Threat of 2025 That EDRs Can't Stop


Flowchart: Infected website to encrypted files, bypassing EDR detection. Steps: Malicious JavaScript, API access, file encryption.

In 2025, ransomware might strike without needing admin rights, a dropped .exe file, or even a phishing click. Imagine a scenario where attacks occur entirely within your browser—whether it's Chrome, Edge, Firefox, or Brave—and spread quietly as you browse the web.


This isn't science fiction; it's the next step in evolution, as browsers become mini-operating systems with APIs that allow web applications to access your files.


How It Could Happen (And Why It's So Deceptive)

Imagine this: You visit a legitimate but compromised website (or click on a malicious ad). A small JavaScript payload is loaded through malvertising.


It uses the File System Access API (for directory access), IndexedDB (local storage), and the WebCrypto API (encryption)—but only if you give "safe" permissions (like "access Downloads?"). Then:


  • It scans key folders such as Downloads, Documents, and Desktop (with your unsuspecting consent)

  • It encrypts files on your device using AES-256 (with keys stored locally—no command-and-control required)

  • It replaces the originals with .locked versions and deletes the rest

  • Finally, it opens a ransom note in a new tab: "Pay 0.3 BTC or lose everything."


No files dropped means no process for EDR to detect. No apparent network activity. Just chrome.exe is creating "normal" files under user privileges.


Hypothetical Attacks That Feel All Too Real

While large-scale campaigns haven't been made public yet, the foundational elements are already in place—malicious extensions and API exploitation have already compromised millions:


Extension Malware Surge:In Q4 2025, a 7-year "sleeper" campaign turned 145 Chrome/Edge extensions malicious, infecting 4.3 million users with backdoors and data theft (no encryption, but a perfect pivot for ransomware).


Malvertising Warning Signs:18 rogue extensions (with 2.3 million installs) hijacked browsing in mid-2025, stealing histories and keystrokes—ideal for encrypting on demand.

Researchers have demonstrated a new ransomware called "RøB" that leverages specific APIs to lock files without requiring downloads. This poses a significant threat to critical infrastructure sectors such as healthcare and energy, with predictions that attacks will occur by the end of the year.


Consider the implications: a law firm could lose case files just by clicking on a "Westlaw" advertisement. A hospital might find its documents encrypted mid-search. A routine visit to a supplier portal could escalate into a $180,000 extortion attempt.


Why EDRs Are Insufficient (And What Tests Reveal)

While Endpoint Detection and Response (EDR) systems are effective at monitoring processes and sandboxing executables, they fall short in this scenario.

  • There’s no rogue process to detect—only browser threads at work

  • Encryption can hide within JavaScript or WebAssembly memory, evading detection by traditional hooks

  • File writes appear legitimate, coming from chrome.exe


The ATP tests conducted by AV-Comparatives in 2025 underscore this issue: while tools can block evasive payloads through processes. These threats originate from the browser often slip through undetected (with zero detections in JavaScript or shellcode scenarios). This highlights a critical gap—browsers can access files, yet current defenses fail to inspect their content.


The Real Solution: Focus on File Behavior Instead of Process Tracking

To effectively combat this issue, we need to adopt tools that prioritize "what's being written" over "who's writing":


  • Every-Write Monitoring: Track all file changes, regardless of the parent process

  • Entropy Detection: Quickly identify high-entropy overwrites (like encrypted gibberish), even from edge.exe

  • Auto-Rollback: Terminate the source and restore files at the first sign of tampering

  • Kernel Power: Dive deep enough into the system to prevent browsers from evading detection.


We must treat encryption as a critical threat, rather than focusing solely on the tools that deliver it. This approach is essential to prevent damage from the very first file, regardless of its origin.


Your Next Steps

If your security stack is still focused on tracking suspicious processes or hashes, it’s time to rethink your strategy for 2024 and beyond. Browser-based threats are already here or on the horizon—now is the time to audit your file monitoring systems. If your defenses are process-only, it’s time for an upgrade.


The organizations that are avoiding negative headlines? They are already implementing file-first defense strategies.


Don’t let a tab become your undoing. 



 
 
bottom of page