Page 15 - Cyber Warnings
P. 15
Fileless Ransomware: How It Works And Why It Matters
Ransomware is a problem for organizations: In the first three months of 2016, law
enforcement officials estimate that cybercriminals extorted almost $210 million from
businesses and institutions.
To combat this growing threat, IT teams and InfoSec tools have developed better ways
to detect malware-carrying email attachments and blacklist specific processes that
could lead to file encryption and ransom demands.
Yet hackers haven’t stayed idle — now, a new type of attack, known as “fileless
ransomware,” is upping the ante and causing problems for IT. Here’s how it works and
why it matters to your organization.
Forget Files
Ransomware is continually evolving. Early methods simply restricted access to user
devices rather than encrypting data; newer iterations leverage complex file encryption
techniques to individually compromise user files and folders on desktops, laptops or
mobile devices, and then demand payment in digital currency.
As security protocols such as signature-based detection, sandboxing and machine-
based learning have reduced the efficacy of this technique, however, threat actors
developed a new method: Fileless malware.
Fileless attacks take one of two forms: Phishing emails with attachments, which then
execute macros to start a command line; or compromised websites that exploit
vulnerable apps to do the same. Both methods then run a PowerShell script straight into
memory, which in turn downloads new scripts to encrypt user data and demand a
ransom. The problem for current detection methods? Nothing is written to disk, so these
attacks fly under the radar.
The New Vector
Fileless ransomware relies on the everyday habits of employees, such as opening email
attachments and using web browsers, to bypass threat detection methods and empower
complex encryption. Staying safe means thinking outside the typical threat response
model to leverage early indicators of attack (IOAs) — code execution, lateral movement
or attempts to obfuscate action — and then block programs based on this criteria.
15 Cyber Warnings E-Magazine – March 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
