The ransomware market has been evolving. A new breed of malicious agents has arrived. It is marked by stealth and has made victims in many telecom companies, government agencies, and banking institutions etc. These attacks have prompted IT departments in companies all around the world to stay alert. Detailed warnings have been issued to workers to not open unsecured email attachments and to avoid visiting suspect websites and third-party apps. Technically known as fileless or malware-free ransomware, these tools are a major threat. They use Microsoft’s PowerShell’s scripting language for targeting organizations using documents and/or applications running via macros.
What is PowerShell?
A task automation oriented programming language, PowerShell is used in MS OS along with more than 100 command line tools.
What Does Fileless Ransomware Do to PowerShell?
Ransomware makes use of PowerShell based scripts or macros for file encryption. This is different from traditional ransomware which performed data-based file encryption.
An Overview of Fileless Attacks
Among the biggest hacks in history was perpetrated filelessly. In 2016, someone stole some docs from the Democratic National Committee (DNC) which were then released for influencing the presidential elections that year. This was done through phishing emails with compromised links were delivered to the DNC workers. Upon being clicked, the attack sprang to work through PowerShell and WMI.
According to Charles Gaughf, the Security Lead with (ISC)², an online security NPO, fileless attacks are generally hosted by phishing links and drive-by websites.
Another attack using fileless mediums struck over 140 banks and financial organizations from more than 40 countries at the start of 2017. The attacker got into the system using a server that was unpatched.
Then it loaded a compromising code into the memory using PowerShell scripts and Windows Registry.
Further, the attackers got control of the systems using standard system utilities which comprised of command lines utilities like NETSH and SC.
This remote access allowed them to set up memory-resident ATMitch malware. This was done on ATMs which were then commanded to eject their cash. The attackers grabbed this cash and left. As there were no files on any systems, detecting the breach was very difficult.
The Two Major Ways Fileless Ransomware Infiltrate Systems
Using phishing attacks generated through emails, an attacker can script macros into the system memory. This leads to auto-generated ransom demands and data encryption.
The second way is through unsafe websites which are accessed by a worker. This lets attackers target the RAM through scripts. This lets them gain access to information and demand cryptocurrency payments. Otherwise, their data will be encrypted and rendered useless.
Types of Fileless Attacks
There are four basic kinds of fileless ransomware that you should know of:
- Memory-exclusive attacks: These attacks access Windows service memories to spread their reach. They arrived in the market as early as 2001. However, they can be resolved by restarting the system.
- Fileless persistence techniques: Such attacks cannot be cleared by a simple restart even if the hard disk is not infected. This is done by using Windows Registry to store infectious scripts, which resume the infection even after a reboot.
- Double-use tools: Such attacks are carried out by infecting Windows system apps. This is done to gain access to target systems or to transfer data to attackers.
- Non-Portable Executable (PE) file attacks: Such attacks use both tools and scripts to make their impact through PowerShell, CScript, or WScript.
Why is Ransomware so Popular?
Ransomware is easy to use. Usually, companies don’t think twice before paying a ransom rather than risking data loss or gaining bad publicity. The rise of cryptocurrencies has also enhanced the viability of ransomware. Anonymous payment methods let hackers have hard-to-trace means of extracting money from their victims. At the same time, cryptocurrency transfers cannot be reversed and thus, they are effective as well as secure.
What Makes Fileless Ransomware Unique?
Fileless ransomware is unique as it’s hard to detect. This is because the native scripting language or the RAM gets injected with the infectious code. This lets it hide in the memory and run commands from there.
What Do Fileless Ransomware Attacks Entail?
- Fileless ransomware are effectively untraceable even with commercial grade antiviruses.
- These attacks leave your system wide open for cybercriminals to exploit. They can do all kinds of things with your network or device once they hack it including data theft/encryption without being detected.
- They also open up the compromised device to multiple attacks. This is because the attacker can write scripts while deriving information from the compromised device.
Protecting Yourself from Fileless Ransomware
Despite fileless ransomware being effectively undetectable by usual antivirus software, there are a number of things you can do to prevent them. The first thing to do is to ensure your critical data is not being accessed by anyone. The second thing is to make sure that your vulnerability through human error is not exposed.
This means that your employees need to know about social engineering and how they can prevent this. Of course, you will also require an updated system that has all the recent security patches. There are some more tips and suggestions given below to further enhance your security from fileless ransomware:
- Ensure Your Data Is Backed Up: Staying protected is all about being mindful of attacks. You should ensure that someone is keeping track of your data and keeping the critical files backed up. This will enable you to disarm such attacks by accessing a restore point that is unaffected by the breach.
- Stay Vigilant: Turn off all macros. Otherwise, refrain from opening files which you are not sure of. In case you have any doubts, you should get in touch with your IT admin.
- Stop Malicious Emails, web pages, and interaction through browsers and servers. You should follow prudence when dealing with a potentially malicious email. Simply block anything that does not appear to be genuine or has even the slightest feel of shadiness.
With just a little caution, you can stay protected from all kinds of ransomware – regular or fileless.