Home Articles A Reality Check on Fileless Malware & Ransomware Attacks

A Reality Check on Fileless Malware & Ransomware Attacks


According to a threat report, the Fileless malware continues to rise and Ransomware attacks have decreased in this year. Read on to know more…

For now, the first half of this year ransomware attacks have decreased and the fileless malware attacks continous to rise according to an recent analysis of 2018 data by SentinelOne. In January, the security firm SentinelOne observed that spread of ransomware attacks fluctuated in the first half of this year. The study report noted “Our [report] found that ongoing advancements in fileless malware, PowerShell attacks and ransomware continue to be a pain point as attackers continue to refine attacks to bypass legacy AV,”.

Some Statistics
According to SentinelOne, the fileless malware continues to grow and now represents 42 out of 1,000 endpoint attacks. The increasing trend represents a 94% increase in the use of fileless-based attacks between January and June 2018. In January this year, Ransomware attacks represented just over 10 out of 1,000 attacks. In February, 14 out 1,000 attacks were connected to ransomware. As of June, ransomware attacks are at an all-time yearly low of 5.1 per 1,000 attacks. The study report noted that Fileless attacks such as Microsoft’s PowerShell jumped from 5.2 attacks per 1,000 endpoint attacks, compared to 2.5 attacks in May.

Working Mechanism
The fileless malware infected the numerous computers leaving behind no traces on the local hard disk drive, thus evading the traditional signature-based security and forensics tools. Fileless malware attacks exploit vulnerabilities in browsers and associated programs such as Java, Flash or PDF readers, or via a phishing attack that tricks a victim to click on an attachment. They target on unsuspecting users clicking on malicious links or files.

In fileless malware attacks, actually no files are dropped on the targeted system. Rather, the malicious code executes in the computer’s memory and calls other programs that are already on Windows system such as PowerShell and Windows Management Instrumentation (WMI).

Windows tools, such as PowerShell, are used by basically used by malicious elements to remain persistent on systems. This is because the fileless malware needs to run code on the targeted system’s Random Access Memory (RAM). Every time the endpoint is restarted the victim’s in-memory attack ends.

To avoid those limitations, attackers often will traverse from one application to another and in some instances, PowerShell will be used to open an application such as Notepad or Calculator in the background that is hidden from the user, so that the fileless malware can run in one of those application’s memory footprint. Another means of gaining persistence is by loading a PowerShell script that instructs the targeted computer to reconnect to the attacker’s command and control each time the PC started.

Kaspersky Lab detailed its discovery in July of the PowerGhost fileless malware/cryptominer which is an obfuscated PowerShell script. This Fileless malware plants itself in the targeted system’s RAM and uses the WMI tool and Mimikatz data extraction tool to escalate privileges and set up its mining operation. More recently, researchers discovered CactusTorch fileless malware that executes and loads malicious .NET files straight via memory.


Please enter your comment!
Please enter your name here

20 + = 28