Skip to content
Chimera readability score 0.6145 out of 100, reading level.

SAN FRANCISCO — We're familiar with ransomware that attacks endpoints, databases and networks. But a lesser-known form of ransomware targets cloud and SaaS assets, operates entirely within web browsers, and can evade endpoint protections completely, said Nishant Sharma, a threat researcher at Zscaler, in a presentation at the BSides SF hacker conference here last week (March 22)."Industry has invested a lot of money in EDR anti-ransomware features. But there's another vector," said Sharma. "We're spending more and more time in the browser. More services move to the browser all the time, most recently LLMs like ChatGPT.""Traditional" ransomware attacks your endpoints and makes sure you can't access your files, Sharma explained. But files and other assets held in cloud services and in SaaS apps may be just as valuable and, because they have less protection, are considerably more vulnerable.That's because browsers are the gateway to cloud services, and browsers are under-protected. Attacks on browsers, whatever their intent, often involve identity theft, and theft of credentials, session cookies, and OAuth tokens creates opportunities for ransomware attacks upon SaaS apps and cloud storage. "Browser attacks are becoming more common," Sharma said. "Yet browser security is still not there."To demonstrate his point, Sharma ran through the steps of a mock ransomware attack leveraging Gmail to target Dropbox.First, a malicious email lures the victim to a legitimate-looking website that invites the victim to log in using their Google credentials.When the victim tries to do so, a pop-up from Google warns that the victim has to trust the website and that using Google credentials gives the site permission to "read, compose, send and permanently delete all your email from Gmail."That warning might put off some users from logging in, but others would just go ahead and grant the permissions. It may also be the only thing protecting the victim's files from compromise.The victim is then redirected to a nice-looking interface. But, as Sharma pointed out, the attacker now can read all of the victim's email messages and can comb through archived messages to discover which online services the victim has signed up with.The attacker then tries to log in to the victim's Dropbox account, forcing a password-reset procedure that sends a reset token to the victim's Gmail address. If the victim does not have MFA enabled — or if Dropbox sends a one-time passcode to the victim's Gmail account — then the attacker gains control of the Dropbox account.As the final stage of the attack, the attacker downloads all the victim's Dropbox files, deletes or encrypts everything in the Dropbox account, and replaces the files with a ransom note."This all happens in the browser," Sharma said. "The endpoint is not touched. EDR software notices nothing."A similar permission-granting technique could be used to get full access to the victim's Google Drive, or to many other cloud-storage and SaaS services, Sharma said.This kind of attack is certainly happening already, Sharma said, but it doesn't make headlines because it's more effective on consumers than on enterprises, which protect their cloud and SaaS assets more strongly.In terms of what kinds of mitigation are available, Sharma recommended security solutions that can sit in the browser, or as an intermediary between the browser and the internet. Strong MFA would likely stop some account takeovers, but not in all cases.Asked whether such attacks could succeed using stolen credentials, or stolen session cookies that can bypass MFA, Sharma replied, "Yes. There are hundreds of vectors."
RSAC, Ransomware, Cloud Security, Identity
BSides SF: SaaS, cloud assets vulnerable to identity-based ransomware attacks
Credit: Adobe Stock Images
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds

Facts Only

Nishant Sharma, a threat researcher at Zscaler, presented at the BSides SF hacker conference on March 22.
Sharma described a form of ransomware that targets cloud and SaaS assets by operating within web browsers.
Traditional ransomware attacks endpoints, while this variant evades endpoint protections by functioning entirely in the browser.
The attack involves stealing credentials, session cookies, or OAuth tokens to gain access to cloud services.
Sharma demonstrated a mock attack using Gmail to compromise a Dropbox account.
The attack begins with a phishing email directing victims to a fake login page requesting Google credentials.
Google displays a permission warning, but victims may still grant access, allowing attackers to read emails and identify linked services.
Attackers then trigger a password reset for Dropbox, intercepting the reset token sent to the victim’s Gmail.
Without MFA or if the passcode is sent to Gmail, the attacker gains control of the Dropbox account.
The attacker encrypts or deletes files in Dropbox and replaces them with a ransom note.
The entire attack occurs in the browser, leaving no trace on the endpoint for EDR tools to detect.
Similar techniques can target Google Drive and other SaaS services.
Sharma stated that such attacks are already happening but are underreported, primarily affecting consumers rather than enterprises.
Recommended mitigations include browser-based security solutions and strong MFA, though stolen credentials or session cookies can bypass MFA.

Executive Summary

A threat researcher at Zscaler, Nishant Sharma, highlighted a growing but under-recognized form of ransomware that targets cloud and SaaS assets by operating entirely within web browsers, bypassing traditional endpoint protections. Speaking at the BSides SF hacker conference, Sharma demonstrated how attackers can exploit browser-based identity theft—such as stealing credentials, session cookies, or OAuth tokens—to compromise cloud services like Gmail and Dropbox. The attack involves tricking victims into granting permissions via phishing, then using those permissions to reset passwords, access accounts, and encrypt or delete files while leaving a ransom note. Unlike traditional ransomware, these attacks evade endpoint detection and response (EDR) tools because they occur entirely in the browser. Sharma noted that while enterprises often have stronger protections for cloud assets, consumers are particularly vulnerable. Mitigation strategies include browser-based security solutions and multi-factor authentication (MFA), though stolen credentials or session cookies can still bypass MFA in some cases. The attack vector underscores a critical gap in browser security as more services migrate online.
The presentation emphasized that browser-based ransomware is already occurring but receives less attention due to its focus on individual users rather than high-profile enterprise breaches. Sharma’s demonstration illustrated how attackers could leverage legitimate-looking login prompts to gain access to sensitive accounts, then use that access to hijack other services linked to the victim’s email. While MFA and intermediary security tools can help, the evolving nature of these attacks—exploiting hundreds of potential vectors—poses significant challenges. The discussion reflects broader concerns about the inadequacy of current security measures as cloud adoption accelerates and browsers become the primary interface for digital life.

Full Take

**Steelman:** Sharma’s presentation effectively exposes a critical blind spot in cybersecurity: the growing reliance on browsers as gateways to cloud services, coupled with inadequate protections against identity-based attacks. The demonstration of a browser-exclusive ransomware attack is compelling because it bypasses traditional defenses, highlighting how attackers adapt to exploit trust in cloud platforms. The focus on consumer vulnerability is particularly insightful, as enterprises often dominate ransomware discussions, obscuring risks to individuals. By framing this as a systemic issue—where browser security lags behind endpoint protections—Sharma underscores a paradigm shift in attack surfaces.
**Pattern Scan:** The narrative leans on *ARC-0012 Fear Appeal* by emphasizing the invisibility of these attacks to EDR tools, which could amplify anxiety about browser security. However, the presentation avoids exaggeration, grounding claims in a concrete demonstration. There’s no *ARC-0024 Ambiguity* or *ARC-0043 Motte-and-Bailey*; Sharma’s arguments are specific and evidence-based. The discussion of mitigation strategies (e.g., MFA) acknowledges limitations without overpromising, avoiding *ARC-0031 False Equivalence* between enterprise and consumer risks.
**Root Cause:** The underlying paradigm is the tension between convenience and security in cloud adoption. As services migrate to browsers, the attack surface expands, but security measures haven’t evolved proportionally. The assumption that EDR tools suffice ignores how identity theft—rather than direct endpoint compromise—can achieve the same destructive outcomes. This echoes historical patterns of security lagging behind innovation, such as the slow response to phishing in the early 2000s.
**Implications:** For human agency, this highlights a vulnerability in digital autonomy: users may unknowingly grant permissions that enable catastrophic breaches. The cost falls disproportionately on individuals, who lack enterprise-grade protections. Second-order consequences include erosion of trust in cloud services and potential regulatory pressure to mandate browser security standards. The narrative also implicates tech giants like Google, whose permission warnings may be insufficient to prevent exploitation.
**Bridge Questions:**
1. How might browser vendors and cloud providers collaborate to close this security gap without sacrificing usability?
2. What role should regulatory bodies play in standardizing protections for consumer cloud assets?
3. If MFA is bypassable via stolen session cookies, what alternative authentication models could mitigate these risks?
**Counterstrike Scan:** A coordinated influence campaign exploiting this narrative might amplify fear of cloud services to push proprietary security solutions or undermine trust in open-web standards. However, Sharma’s presentation aligns with legitimate threat research, not manipulation. The focus on technical specifics and mitigations—rather than sensationalism—suggests a clean, evidence-driven discussion.
**Patterns detected:** *ARC-0012 Fear Appeal* (minor, contextual)