Security Experts:

Watch Out for Fileless Ransomware

At a recent industry conference I heard some commentary about the “disappearance” of ransomware, but I’m here to assure you that that isn’t the case. It’s true that some criminal gangs have switched to distributing cryptocurrency miners instead of ransomware (for now, I emphasize), as such mining is currently more difficult for many security systems to detect, and it’s proving extremely profitable to the criminals, which is all that matters.

A May survey showed phishing has surpassed ransomware as a concern for IT security managers, and for understandable reasons—the number of phishing emails reaching users keeps rising, and phishing is the top source of breaches at companies. 

But don’t think ransomware is going to go quietly or go away at all. The narrative of the decline of ransomware is being driven in part by the decrease in mass, botnet-driven mailings sent in the tens of millions, which are spectacular and generate headlines. But it’s important to balance that narrative, focused on the decline in the sheer volume of ransomware distributions, with the understanding that during this past year there has also been an increase in the overall number of ransomware variants in circulation and more varied distribution methods in use, with each campaign typically targeting smaller audiences in the tens of thousands. 

Ransomware Not Dead, Just Less Open

Also consider that other factors are making ransomware activity less obvious and tracking it more difficult. There is a shift underway away from Bitcoin to cryptocurrencies that are even more private — Monero and Dash wallets aren’t open, we can’t any longer just look at publicly visible Bitcoin wallets and see ransomware at work. That switch is also being pushed by Bitcoin-to-dollar currency exchange platforms being shut down, like a Russian bitcoin platform which was recently seized. The move to better hide the payment trail extends to a trend in ransomware notes, which less frequently contain explicit payment instructions, but have switched to use of email or “bitmessaging” to communicate the payment details. In any event, the criminals realized that being brazenly open in this way was best avoided.

Fileless Ransomware Living Off the Land

What’s referred to as “fileless” malware is being seen a lot, and my colleagues and I have been discussing why it hasn’t crossed over more heavily into ransomware yet. When it does, it will get through a lot of industry defenses. To recap, “fileless” refers to methods and capabilities that, in order to evade detection, curtail the number of malicious artefacts written to the file system. This is made possible by applying the principle of “living off the land,” where pre-installed system tools like Powershell and PsExec, with their powerful capabilities and privileges, are leveraged to execute the malicious payload, instead of the ransomware code bringing along a lot of heavy baggage. At this point, all the major ransomware families (Cerber, GrandCrab, Locky, et al.) have had “living off the land” capabilities added to them, mostly by embedding Powershell scripts that download and execute the payload. Powershell and other system tools can also be used for the ransomware encryption itself, as first seen in Poshcoder in 2014 (which, because of poor programming, destroyed the files in the encryption process...), and later in its “improved” version, Powerware. 

Combined, living-off-the-land and fileless injection methods create the potential to launch an attack where no malicious executable is ever saved to disk. Fully “fileless” attacks are by nature volatile and will not survive a reboot or removal. The problem with ransomware is that it has no need for persistence. Running it once is enough for cybercriminals to reach their goals.

Most Next Big Things Have Already Happened

As you see in the Poshcoder example from 2014 (which, by the way, still has a very low detection rate in the industry), fileless ransomware isn’t a brand new idea. And last year we saw UIWIX, which was essentially Wannacry adapted to run in memory, although it didn’t spread much. Perhaps as a better indicator of what’s coming, at the end of April we found a sample of SynAck, which has been around since 2015, newly adapted to run in a fileless manner using a technique called Process Doppelgänging.

History shows that, in security, the next big thing isn’t always an entirely new thing. We have precedents—macro malware existed for decades before it really became a “thing.” 

So we are of the school that it is only a matter of time. A reasonable theory is that we haven’t seen it en masse, or at least in a significant number of smaller distributions, because other opportunities have presented themselves (like cryptomining), and what’s worked up until recently to evade detection for ransomware is still working in enough scenarios. “Fileless” is leaner and smarter, so it’s a move we should expect and for which we should be prepared.

view counter
Sigurdur “Siggi” Stefnisson is vice president of threat detection at Cyren, an Internet Security as a Service provider that protects users against cyberattacks and data breaches through cloud-based web security, email security, DNS security and sandboxing solutions.