Fileless Ransomware: The Next Big Threat For The US In The Waiting
According to a new Malwarebytes report, and the article cited in Tech Target Network, a new kind of ransomware, which will be completely fileless, called Sorebrect, is “one of the first of its kind” that comes with traditional ransom functionality with fileless tactics
In “Under the Radar: The Future of Undetected Malware,” Malwarebytes detailed four fileless attacks observed throughout 2018, including Emotet, TrickBot, SamSam, and Sorebrect.
The report gives reference to a study from the Ponemon Institute, which refers to a “fileless malware attack are estimated to account for 35% of all attacks in 2018, and they’re almost 10 times more likely to succeed than file-based attacks.”
Malware has always been a threat to internet users across the world, and this report emphasized how these four malware families posing as a serious threat to businesses. For example, Malwarebytes stated that “between January and September 2018, Emotet malware was detected and removed more than 1.5 million times using Malwarebytes.” While Emotet was found to be most active in the U.S., an increase in activity was also seen globally in countries such as the U.K., the Philippines, and Canada.
Adam Kujawa, director of malware intelligence at Malwarebytes, based in Santa Clara, Calif., said: “One of the biggest targets in the U.S. for Emotet was Texas.” He believes this to be due to the fact that Texas has several military bases and holds a large population, with the growing tech industry.
Sorebrect has also made its way to the U.S. It was first seen in Middle Eastern countries in 2017, infecting networks of primarily manufacturing businesses. But Malwarebytes said the fileless ransomware was discovered this year in several states, including Missouri and Tennessee.
“Lucky for us, this threat hasn’t had a great spread and we haven’t observed any copycats of this functionality, making big splashes, yet,” the report stated. “However, it’s just a matter of time before somebody perfects this infection method and using the computer becomes a bigger risk.”
Kujawa said Sorebrect combines traditional ransom functionality with fileless tactics and targets network shares.
“The most popular ransomware right now, being GandCrab, has all kinds of capabilities. But the fact is that Sorebrect is a new evolution of ransomware, something that we haven’t really seen before. And it’s almost guaranteed to be copied in the near future,” Kujawa said. “The main way of infection when it comes to fileless malware is either through some kind of script exploited through an exploit script or exploited through a malicious Office document. Either way, it allows the ransomware to reside in memory without putting anything on disk, hanging out for as long as it wants until it wants to start encrypting things.”
The risk Sorebrect poses becomes further evident, as it doesn’t need a human to launch it. While its delivery mechanism is not fully known, Kujawa said it is believed the fileless ransomware is partially spread through exploit kits and malicious spam campaigns.
“Once it is on the system, what happens usually with any sort of fileless malware is that it will find some way to make itself resistant. Otherwise, once you leave it with the computer, it’s gone,” Kujawa said. “So, in many cases, they’ll create malformed registry entries or keys and have code in them. And every time the computer reboots, it launches that code, that code reaches out, grabs the malware and infects the system again. With Sorebrect, since it can encrypt everything, I imagine that after the initial infection and once it starts encrypting, it probably makes itself known.”
The report recommended enterprises expand their current protections beyond signature-based malware detection in order to be protected from fileless ransomware. In addition, Malwarebytes suggested enterprises focus more on blocking delivery mechanisms for threats, specifically email messages, and use security products with self-defense modes that can prevent malware from disabling or removing it from a system.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.