What Is Fileless Ransomware?

Background

Ransomware isn’t a new phenomenon. The concept of holding locked files for ransom has been around since the era of the floppy disks. However, many will be surprised to find out that ransomware comes in many forms.

Ransomware typically comes in the variants of “locker” ransomware and “MBR” (Master Boot Record) ransomware. Locker ransomware makes a user’s desktop and applications inaccessible through a virus until the user pays up by either inputting card information or wiring money via cryptocurrencies like Bitcoin or Ethereum.

Meanwhile, MBR ransomware locks users out of their computers completely. The MBR is a code that’s stored in the first sector of a hard disk drive and is a code extremely critical to launching an operating system. However, because this form of ransomware is able to overwrite it, once infected, it can render the computer system useless at startup.

Delivery methods for ransomware are evolving, and hackers are increasingly delivering in-memory malware through fileless scripts. Such is the case with fileless ransomware, which is a type of ransomware that embeds malicious code into parts of an operating system where a regular user will not suspect (e.g. RAM, kernel). As a result, fileless ransomware can spread without detection.

What makes fileless ransomware so different and why is it dangerous?

One way ransomware is spread is through email attachments that contain executable files with malicious code. Usually people avoid downloading files with unfamiliar extensions, but nowadays hackers can fake file extension names by abusing a special Unicode character that forces text to be displayed in reverse order. Though these files may also be blocked by anti-malware tools/plugins that prevent downloads of suspicious files, with fileless ransomware the malicious code may be undetectable, making it all the more dangerous.

This is all thanks to “macros,” which are essentially instructions consisting of a sequence of commands to be executed within Microsoft Word. Though typically used for less sinister purposes like automating tasks within Microsoft Word (formatting texts, inserting pre-designed tables), they can also be exploited and used maliciously, for example in spreading viruses and taking over files to encrypt.

Is fileless ransomware the new trend?

Fileless ransomware works by running macros directly in the computer’s memory. When a macro-enabled Word document is opened, macros start a command line in a computer’s task automation and configuration management framework linked to Microsoft, which calls the PowerShell in Windows to feed it the malicious scripts. As a result, some refer to this kind of fileless ransomware as PowerWare.

Fileless ransomwares run scripts within native applications like the PowerShell to encrypt files, while concealing malicious commands. As a result, fileless ransomware makes for an effective way for hackers to trick users into downloading and running commands without the user’s permission. This is quickly becoming a popular technique used by hackers to spread ransomware.

Training users to avoid opening attachments is easier said than done. Anyone can fall for a phishing scam through a cleverly-disguised email and or other social engineering techniques. Instead, users and IT professionals should turn off macros by default and limit the number of commands or functions that PowerShell can run without approval for example. Keeping up to date with the latest ransomware variants is always good practice too.