An Inside Look Into Fileless Ransomware
May 22, 2017 6:22am
Businesses are worried about ransomware — and rightfully so. Last year, 70 percent of companies targeted by ransomware attacks paid rather than risking data loss, with 50 percent of these payments topping $10,000. This malware method raked in more than $1 billion for hackers in 2016 and is on track to do the same (or better) this year.
More worrisome is the fact that large and small businesses alike are often overwhelmed with conflicting and confusing information about ransomware risks, their standard operating procedures, new variants and what steps they can take to stay safe. Let’s clear the air and take an inside look at tech’s biggest threat.
While the number of ransomware variants and reported attacks has spiked significantly in recent years, the digital ransom concept is old — initial exploits appeared almost 30 years ago, were spread through floppy disks and required victims to mail payments in exchange for decryption tools. The rise of broadband internet, web apps and cloud computing deployments created a competitive malware marketplace where ransomware largely took a back seat — until recently.
In 2012, security researchers noticed a spike in ransomware activity. It started with “locker” attacks, which prevented users from accessing their desktop or any applications. Often, these locks were paired with fake police messages or FBI investigation warnings that demanded victims pay or face potential prosecution. Another popular type was Master Book Record (MBR) ransomware, which prevented boot processes from completing — and rendered systems useless.
Over the last three years, however, locker and MBR ransomware have been supplanted by crypto ransomware, which allows users access to basic system functions by encrypts to specific file types. Documents, photos, videos and files related to app execution can all be encrypted and scrambled, with random extensions added. The result? It’s hard to determine what’s been compromised, where it is and how to fix the problem. Typically, attackers demand payment in Bitcoin, a digital currency that can’t be tracked, and while some encryption can be broken thanks to poor code or the efforts of infosec professionals, new variants are continually emerging.
Ransomware vectors are also changing to meet the more proactive nature of IT defense. For example, some malware creators are now providing ransomware-as-a-service, allowing low-skilled users to purchase malicious code for several hundred dollars and then providing continuous “support” similar to that of legitimate software providers. Others have developed extensive marketing materials to sell their ransomware products on the dark web.
New advances are also more technical, such as the rise of fileless ransomware. Instead of downloading code to victim computers that might be flagged by antimalware tools, fileless attacks use macro-laden Word attachments or compromised web links to open command lines in PowerShell — typically a white-listed admin app — which then contact command and control (C&C) servers to download the ransomware package itself. By the time a company notices, it’s too late — the code has already started encrypting files.
For businesses, both the technical sophistication and psychological impact of ransomware make a compelling case for victims to simply pay the ransom and hope for the best. Consider this scenario: A user opens a seemingly benign Word attachment, which then runs a macro, leverages PowerShell and infects networked computers. Files are encrypted, directories are moved and a splash screen appears on computers across the office, demanding payment in Bitcoin. An on-screen counter indicates that if you don’t pay on time, all files will be destroyed.
So you pay, even though there’s no guarantee of recovered data, and even though hackers might try the same trick next week. You pay to avoid the potential PR nightmare and get systems back up and running ASAP. Even if file restorations and cloud backups mean you’ve lost nothing, you still need to make sure you’ve eliminated all traces of the attack and are better prepared for next time.
How can your company prevent the spread of ransomware? Start by turning off macros by default and limiting the number of functions PowerShell can execute without approval. Train employees to avoid opening any attachments they aren’t expecting — better to check with the supposed sender than risk a compromise — and report any potential malicious links to IT.
It’s also important to leverage proactive protection tools that are regularly updated with data about the latest ransomware variants and can detect suspicious network activity, such as high-traffic volumes from strange apps or random file access, and alert security pros before it’s too late.
Ransomware is on the rise. Don’t pay. Get peace of mind by backing up files regularly and with better malware protection.
Check out this infographic for more tips.
About the Author
Con Mallon is senior director of product marketing at CrowdStrike, responsible for product positioning and messaging, go-to-market programs, competitive differentiation, and sales assets and tools. Con started his career in the United Kingdom and has more than 20 years of marketing and product management experience within the technology sector.