How Fileless Ransomware Works

The biggest malware threat faced by businesses is ransomware — malicious code that encrypts critical data and then demands payment in Bitcoin. For many small and midsize businesses, however, the ransomware threat still seems distant. After all, don’t malicious actors prefer the more lucrative returns from compromising and controlling large enterprise file systems with their fileless ransomware?

According to recent data, however, SMBs need to sit up and take notice. Small business ransomware reports are up 433 percent in the last year, and almost 50 percent of SMBs compromised by ransomware paid rather than risking the loss of critical files.

What does this mean for your business? How do you avoid ransomware threats, and what’s the best strategy if systems are infected?

Evolving Issues

Along with adding new targets to the ransomware hit list, cybercriminals are also creating new ways to avoid detection by antivirus and antimalware systems. Consider the rise of “fileless” ransomware. Instead of tricking users into downloading the necessary dropper file for malware infection, hackers are now using macro-enabled Word attachments and compromised websites to start command lines, which in turn run PowerShell scripts. These scripts then communicate with command and control (C&C) servers to download the ransomware package and encrypt critical files. The big problem? Since no malware file initially lands on SMB computers and PowerShell is an approved program in most operating systems, there’s no warning — only ransom demands.

Threat Vectors

Despite the evolving nature of fileless ransomware, the good news is that threat vectors remain constant across enterprise and SMB attacks. Two tactics continue to generate reliable infection rates for malicious actors — email attachments and compromised websites.

When it comes to email, hackers typically use a combination of social engineering and familiarity to convince users they must download and open attached files. For example, emails may seem to originate from in-house addresses or known contacts, and appear to contain benign attachments. Or, they may leverage “IMMEDIATE ACTION REQUIRED” tactics that scare users into downloading malicious files, typically Word attachments. Once opened, these files run macros (or ask permission to do so), and infect devices.

Compromised websites, meanwhile, contain malicious links that may lead to spoofed Web pages or applications. Once there, users are asked to download a necessary file, codec or even font type — although they may appear innocuous, they’re often hidden executables with odd or doubled file extensions, allowing them to execute once opened by users. They quickly contact C&C servers, grab the ransomware package, and take control.

Staying Safe

How do SMBs protect themselves against emerging ransomware threats? The first step is education — train employees to avoid any suspicious email attachments, and report strange website links or behavior. Here, communication is key: Make it clear that network defense rather than staff discipline is the aim to encourage employee honesty.

In addition, it’s a good idea to leverage security solutions capable of recognizing both attack indicators — such as network and application behavior — in addition to whitelisting and blacklisting files. Disabling Word macros by default and limiting the permissions of PowerShell also help limit ransomware risk.

Fileless Ransomware Infographic

How Ransomware Uses Powershell

How Ransomware Uses Powershell Provided By CrowdStrike

SMBs are increasingly targeted by advanced ransomware attacks. Look for warning signs, leverage the right tools and learn more about evolving threats to keep your data secure.

Author Bio

How Does Fileless Ransomware Work Infographic - CrowdstrikeThis guest post on fileless ransomware was contributed by Con Mallon. Con is Senior Director of Product Marketing at CrowdStrike, responsible for product positioning and messaging, go-to-market programs, competitive differentiation, and sales assets and tools. Con started his career in the United Kingdom, and has more than 20 years of marketing and product management experience within the technology sector.