Published
- 5 min read
By Allan D - Editor, AI Security Wire
Browser-Only Ransomware: AI Bridges Theory-to-Exploit Gap in Chrome API
Security researchers at Check Point Research have demonstrated a viable browser-only ransomware technique using Chrome’s File System Access API — and a frontier AI model gets credit for independently discovering the attack path. The research, published this week, represents an uncomfortable intersection: AI-assisted security research surfacing a novel threat that defenders had previously dismissed as impractical.
Here’s what makes this different from theoretical web security research: there’s no vulnerability being exploited, no native payload required, and no root access needed. Just a browser, a permission dialog, and JavaScript.
How the Attack Works
The File System Access API is a legitimate browser feature, introduced in Chrome to allow web applications to read and write local files with user consent. Think Figma saving designs locally, or a browser-based code editor modifying project files. The API presents a familiar folder-picker dialog, the user grants access, and the web application has read and write access to whatever directory was selected.
Check Point’s researchers asked a frontier AI model to evaluate whether browser-only ransomware was theoretically feasible. The AI didn’t just confirm the theory — it identified the File System Access API as a viable attack vector and produced a working proof-of-concept. The attack sequence looks like this:
- A phishing page — plausibly a fake document tool, a “download your files” portal, or a fraudulent software utility — prompts the victim to select a folder using the familiar browser dialog
- Once granted, JavaScript running on the page enumerates files in the selected directory
- File contents are read and exfiltrated to attacker infrastructure
- Files are encrypted in place using browser-native cryptography APIs (Web Crypto API supports AES natively)
- Encrypted versions overwrite the originals
- A ransom note replaces or accompanies the now-unusable files
No binary execution. No privilege escalation. No Windows API calls. The entire attack runs inside the browser sandbox, but the damage is to the local filesystem.
The Platforms in Scope
The technique requires a Chromium-based browser — Google Chrome, Microsoft Edge, Brave, Arc, and others. Firefox does not implement the File System Access API, and Safari’s implementation is limited. That still covers the majority of desktop browser market share.
Platform coverage: Windows, macOS, Linux, ChromeOS, and Android. On Android, the attack is constrained to the browser’s accessible storage scope, which limits what can be reached but doesn’t eliminate the threat for mobile users who store documents in accessible locations.
The VirusTotal Sample
Researchers found a Python Flask application — “deepseek_python_20260125_da0631.py,” uploaded to VirusTotal on January 25, 2026 — that implements a server-side component consistent with this attack pattern. The author named it InfernoGrabber v9.0. Whether this represents an actual deployment or a researcher’s independent experiment isn’t confirmed, but the timing and characteristics suggest the attack concept was being explored in the wild before Check Point’s formal publication.
Why This Matters Beyond Browser Security
The story here isn’t just a new browser attack technique. It’s the mechanism of discovery. Check Point’s AI didn’t find this because a human handed it a pre-identified target and asked “is this exploitable?” It found it by working through a security hypothesis from first principles, reasoning about browser APIs, and identifying a path that security researchers had assessed as unfeasible. That’s a qualitatively different capability.
The implication isn’t that all AI security research produces exploits. Most of it doesn’t. But the pool of novel attack surface that can be systematically surveyed by AI models — API documentation, specification papers, interface designs — is large, and the cost of that survey is dropping. The gap between “this is theoretically interesting” and “here is working code” is now sometimes a single conversation.
What Defenders Can Do
Conventional endpoint detection won’t catch this — there’s no process injection, no PE execution, no kernel interaction. Detection requires monitoring at the browser or network layer.
Browser enterprise policies: Chrome enterprise policy can restrict or disable the File System Access API entirely using the FileSystemReadAskForUrls, FileSystemWriteAskForUrls, and related policy keys. For organisations where workers don’t need web applications to write local files, disabling this permission class is the cleanest mitigation.
User awareness: The attack requires a user to actively grant folder access via a browser permission prompt. Training users to treat unexpected folder-access requests from web pages with the same suspicion as macro-enable prompts in Office documents is relevant here.
Network-layer monitoring: File exfiltration before encryption is the most detectable phase. Large outbound transfers from browser processes to unfamiliar destinations are anomalous and should be flagged.
There’s no patch for this because nothing is broken. The File System Access API works exactly as designed. The question for organisations is whether the utility it provides outweighs the risk it introduces.
References
- The Hacker News — AI-Generated Browser Ransomware Abuses Chromium API on Windows, Linux, macOS, Android
- Check Point Research — Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique
- CybersecurityNews — Browser-Only Ransomware Abuses Chrome File System Access API to Encrypt Android Photos
- GBHackers — Browser-Only Ransomware Uses File System Access API to Encrypt Files Without Malware Installation
Frequently Asked Questions
- What is browser-only ransomware and how does it work?
- Browser-only ransomware abuses the Chromium File System Access API to encrypt a victim's local files entirely through a web browser, without installing any native payload or exploiting a browser vulnerability. The attack starts with a phishing page that requests folder access via a browser permission dialog. Once the user grants access, JavaScript running in the browser enumerates, exfiltrates, encrypts, and overwrites files in the selected directory, then presents a ransom demand. The attack works on Windows, macOS, Linux, Android, and ChromeOS wherever Chromium-based browsers are present.
- What was the AI's role in discovering this attack technique?
- Check Point Research used a frontier AI model to evaluate the theoretical feasibility of browser-based ransomware. Rather than confirming existing assumptions, the AI independently identified the File System Access API as a viable attack vector and generated a working proof-of-concept. The researchers note this is the first documented case of a frontier AI model independently bridging the gap between a theoretical security hypothesis and a practical, working attack chain.
- Is browser-only ransomware being used in the wild?
- There is no confirmed evidence of real-world exploitation as of July 2026. However, an AI-generated Python Flask application with ransomware-like behaviour was uploaded to VirusTotal on January 25, 2026, and analysts note it exhibits similar characteristics to the attack technique Check Point demonstrated. The technique does not require exploitation of a software vulnerability, which means it will not be stopped by conventional patch management; user-facing permission hygiene and browser policy controls are the primary mitigations.