Fileless Ransomware – There’s a new form of ransomware out to complicate the jobs of IT security teams and forensic experts. This so-called fileless ransomware operates by embedding its malicious code in secluded areas of the operating system. RAM is more common, but the kernel also makes for a cosy hiding spot. The infection can penetrate the system while leaving a minimal trace of its presence.
As the name suggests, fileless ransomware does not download or write any files to the infected system. The objective of such an attack is two-fold. First, it allows the malware to elude detection by anti-virus software and other file-based security programs. Second, and perhaps most importantly, it affords attackers the opportunity to analyse the compromised system and calculate their next move. Once inside, a hacker can either infect the system, map out the attack scope, or decide to move on to the next victim.
Fileless malware is not entirely new as different variants have been on the scene since 2014. However, using this approach to carry out stealth ransomware attacks is something more of a recent occurrence. In March 2016, IT security company Carbon Black spotted a fileless ransomware attack at three hospitals in the US. The “PowerWare” malware, as they called it, used a unique method to infect the hospitals.
Ransomware usually springs to life when files are installed onto the targeted system. Powerware manipulates the built-in Windows administrative tool Powershell instead. Once you open an infected macro-enabled document, the command shell fires up. PowerShell then does the dirty work by downloading the malicious code in a text script and encrypting the user’s files. Powerware demands a ransom of $500 in exchange for the decryption key. The fee doubles if not paid in two weeks.
What’s troubling about a fileless ransomware strain is that the infection may only be the start of your troubles. This software embeds itself in the root of the system. Hackers can use the access to perform some administrative tasks. For example, PowerShell makes it alarmingly simple to download additional malware scripts or reveal information about other networked devices, which could open the door to more attacks shortly.
Fileless Ransomware Protection
According to Kaspersky, fileless malware has struck roughly 140 organisations across the healthcare, finance, and government sectors. Since the infection is so difficult to detect, the actual number may far exceed that. This sly stealth technique could become the norm as hackers continually look for ways to one-up security solutions. A successful attack could cost your organization in downtime and countless man-hours as the security team attempts to stop the bleeding.
We know having a backup plan is essential to safeguarding your data from security threats. Here are some other things you can do to avoid the wrath of fileless ransomware.
Patch Known Security Holes
Flaws in your IT system are vulnerabilities, and vulnerabilities are security holes fileless ransomware can exploit to make you the next victim. Leaving these holes unplugged is akin to leaving the windows to your home wide open and inviting a burglar right on in. By committing to patch management, your security team will be able to identify vulnerabilities and can apply the necessary fixes in a timely fashion.
Disable Dangerous Functions
Hackers and macros-based exploits go back to the 1990’s. The trend had died down for a bit but appears to be making a comeback. Microsoft revealed that macros were used in 98 percent of the threats that targeted Office in 2015. So unless necessary, macros, PowerShell, and other potentially dangerous features should remain disabled. Conduct a thorough assessment of your infrastructure to identify components most likely to be targeted in a security attack.
Keep Security Software Up to Date
Fileless malware and ransomware, in general, is so dangerous because it often compromises the system and starts encrypting files before anti-virus software has a chance to act. However, running a quick scan of attachments before opening them can stop many of these same threats dead in their tracks. The conventional anti-malware solution may no longer be the key to end-to-end system protection, but it can still be an important piece of your overall security system. Use it, and keep all of your security applications updated.
Stay on Alert!
By now, your IT and security personnel should have a deep understanding of ransomware – what it is, what it is capable of, and how it gets around. Each employee should be trained on how to spot phishing emails and take caution when handling attachments. Fileless ransomware may be a more sophisticated form of malware. However, merely grasping the ABCs of IT security -can render it ineffective.
Have a Backup to Restore From
Strong IT security will certainly help with ransomware prevention. However, IT environments today are overwhelmingly complicated, and there’s a lot of bits and pieces to account for – some of which may not be under your control. If one vulnerability was missed and a breach happened, just one thing can save you.
You should always have a reliable backup to restore from, and ensure the company can get back to business using the latest saved version.
Be it on-prem, off-prem, SaaS applications or stored on an appliance, your data is vital for business. Make sure it is not used for blackmail!