When AI Invents the Attack:  Browser-Native Ransomware

Check Point Research recently uncovered something that changes how we think about AI-assisted threats: a malware sample in which an AI model independently connected a theoretical browser risk to a working ransomware technique, with no exploit, no app installation, and no technical expertise required from the attacker.

A Noisy Sample With One Dangerous Idea

While analyzing nearly 3,000 DeepSeek-attributed files from public telemetry, our researchers came across a Python Flask application that looked, at first, like a textbook AI hallucination. It tried to pack a keylogger, credential stealer, webcam capture, and ransomware overlay into a single web page — most of which browsers simply won’t allow. The model got almost everything wrong.

But buried in the noise was one thing it got exactly right. The generated code called showDirectoryPicker(), a legitimate browser API that lets a web page request access to a folder on the user’s device, read files inside it, modify them, and send their contents to a remote server. No installation. No exploit. Just a permission prompt.

The person who prompted it likely had no idea this API existed. They described a high-level malicious outcome, and the model searched its knowledge of real browser features to find something that fit. That process — an AI reasoning across existing platform knowledge to surface a novel attack path — is precisely what makes this finding significant.

Why DeepSeek Is Part of This Story

Major AI vendors have made cyber safety a core control area. Requests involving ransomware behavior, credential theft, or malware deployment are consistently refused by frontier models from Anthropic and OpenAI. DeepSeek is less consistent. It is free, widely accessible, and in our testing, a single broad prompt produced a complete malicious application that would have required manual assembly across multiple requests using other models. That lower barrier makes it particularly attractive to threat actors with limited technical skill.

The Android Risk Is Real

To validate the technique, we built a controlled proof of concept: a fake AI photo-enhancement tool that uses the File System Access API to encrypt images in a selected directory. The workflow is disarmingly natural. A user selects a photo, is asked to choose a folder for the enhanced results, approves a browser prompt that feels routine in context, and during the fake processing step, their images are encrypted. No binary is downloaded. No app is installed. The attack runs entirely inside the browser.

On Android, this is especially concerning. Chrome 132 introduced full File System Access support on Android, and our testing on Chrome 148 confirmed that web pages can request access to the DCIM photo directory. This folder typically holds years of personal photos, scanned documents, banking screenshots, and recovery codes, which if lost, or even having such vital data exfiltrated, could possibly create personal or business issues, ranging from ransomware to blackmail or if the data is sensitive, public disclosure, leading to reputational damage and more. On iOS, Safari does not expose the same API, so the technique does not apply there. 

What You Can Do

Browser folder-access prompts deserve real scrutiny. Before clicking Allow, consider which site is asking, which folder is being selected, and whether write access is actually necessary for what you came to do. Avoid granting websites access to your main photo library or any directory with sensitive or irreplaceable files. For unfamiliar tools, select an empty folder instead, and keep regular backups so that encrypted files are never your only copy.

For stronger protection against the phishing-style pages that deliver attacks like this one, Check Point’s Threat Cloud Anti-Phishing identifies and blocks malicious sites before users ever encounter a suspicious permission prompt. Because the entire attack depends on luring a user to a convincing fake page, disrupting that delivery step is the most effective defense available today.

The Broader Shift

At the time of publication, we have found no evidence this technique is being used in active campaigns. We are publishing now because the barrier to operationalizing it is low.

What this research illustrates is a meaningful shift in how novel attacks emerge. Historically, discovering a new attack path required domain expertise and creative human thinking. AI changes that. A non-expert can describe a malicious outcome in plain language and receive a prototype that connects that goal to a real platform capability they never knew existed. The expertise required to discover the attack path is no longer the bottleneck — and defenders need to account for that.

Author