How Does Fileless Ransomware Work?

Ransomware attacks rank among the most damaging for companies of all sizes. The sudden loss of file access combined with demands for quick payment and the threat of data deletion have put many IT departments on high alert, warning users never to open unsolicited email attachments, visit suspicious websites or download third-party applications.

Nonetheless, hackers are working hard to evade increasing corporate scrutiny; ransomware-as-a-service (RaaS) threats are now targeting the historically defensible Mac OS, even as attackers roll out “fileless” ransomware vectors that leverage common computing services to execute malicious commands and download infectious payloads. Here’s a look at the potential impact — both present and future — of evolving ransomware threats.

Under Attack

What makes ransomware so popular? For many attackers, it comes down to ease of use. When companies discover their network is compromised, they’re often eager to pay the ransom, rather than risk loss of critical files or endure negative PR. The emerging bitcoin/cryptocurrency landscape also informs the spread of ransomware. In most cases, victims are directed to pay a specific sum in bitcoin (or other cryptocurrency) to a designated email address. By leveraging entirely digital currency, hackers can effectively anonymize their demand for payment, while the nature of blockchain transactions can ensure that all transfers are securely completed and cannot be reversed.

Also worth noting, new hacks utilizing the same vulnerability as popular ransomware WannaCry have been spotted installing cryptocurrency miners on victim computers. Although the machines continue to perform normal functions, they’re also tasked with a background process to create digital currency — which has potentially generated more than $1 million for attackers.

Fileless Futures?

Hackers are also getting wise to the fact that security applications and researchers can quickly red-flag and then black-list malicious files and groups, limiting the impact of traditional ransomware delivery methods. Attackers have adapted by developing new strains of fileless ransomware that uses existing processes to execute compromising commands.

While the initial trajectory is the same — victims either open malicious email attachments or browse compromised websites — new fileless attacks don’t download any data. Instead, they open a command line and run PowerShell scripts straight into computer memory. This forces a secondary file download that contains both the ransomware dropper itself and the encryption key. Users are then faced with familiar splash screens and demands for payment. For hackers, value comes from initial contact, since traditional malware detection and anti-virus tools don’t classify PowerShell scripts as potential attack vectors. For companies, the shift in ransomware rollout demands a change in focus: Indicators of attack — such as code execution or lateral network movement — must become part of the IT security foundation.

Ransomware is on the rise, with hackers looking to grab (or create) cryptocurrency and avoid unwanted attention. For more information on fileless ransomware, read the infographic below to understand the risks to develop new strategies and lower the ransomware infection impact.

How “Fileless” Ransomware Works by CrowdStrike

Author bio: Con Mallon is Senior Director of Product Marketing at CrowdStrike, where he oversees positioning of products and communication, go-to-market programs, competitive differentiation, and sales assets and tools. Mallon started his career in the United Kingdom, and has more than 20 years of marketing and product management experience within the technology sector.