Fileless ransomware, as per a recent report, is an emerging threat for businesses in the U.S.
A new report by Malwarebytes, which is titled “Under the Radar: The Future of Undetected Malware”, points out that a new class of malware has now risen to prominence- under-the-radar malware. The report states, “This difficult-to-remediate group of threats is growing in sophistication and frequency, a cause for concern for businesses today and in the future…These sophisticated attacks avoid detection and maintain persistence by borrowing the propagation and anti-forensic techniques seen in the complex nation-state attacks of the past”.
The report then says, “Of these attacks, foremost in volume today are fileless attacks and compromises”.
The Malwarebytes report examines four fileless attacks that have been posing grave threats to businesses across the U.S throughout 2018. This includes the Sorebrect fileless ransomware threat which has been detected in the U.S in 2018 and which could continue to cause trouble in 2019 as well.
The four fileless attacks discussed in the Malwarebytes report are Emotet, TrickBot, SamSam and Sorebrect.
Discussing Sorebrect, the report points out that this fileless malware, which was first seen in Middle Eastern countries in 2017 and which primarily attacked organizations in the manufacturing industry, made its way to the U.S in 2018. This fileless ransomware was discovered in several states across the U.S. The report says, “Within the 50 states, Missouri leads the pack for Sorebrect detections, followed by Tennessee, again compromising those outside states with the largest populations or traditional technology centers”.
Sorebrect, which combines traditional ransom functionality with fileless tactics, targets network shares as well. “When you combine that traditional ransom functionality with the fileless tactics of tomorrow, you’ve got a threat that is impossible to stop if you do not have a solution monitoring process memory and using behavioral identification and detection”, reads the Malwarebytes report.
The report further notes, “Lucky for us, this threat hasn’t had a great spread and we haven’t observed any copycats of this functionality making big splashes, yet. However, it’s just a matter of time before somebody perfects this infection method and using the computer becomes a bigger risk”.
Sorebrect poses great risks as it doesn’t need a human to launch it. Though there’s not much clarity regarding its delivery mechanism, it’s believed that Sorebrect is partially spread through exploit kits and malicious spam campaigns. Expert opinion is that this ransomware, which is a new evolution, is almost guaranteed to be copied in the near future itself and hence would very soon end up being a big threat to businesses.
The report, authored by Adam Kujawa, Director of Malwarebytes Labs, also points out that Malwarebytes had detected and removed over 1.5 million Emotet infections between January and September 2018. Though the U.S has more Emoted detections than any other part of the world, there has been an increase in activity reported from other countries like the UK, Canada, Philippines and Germany.
It has also been noted that in the U.S, the Emotet infections seemed to be fairly spread across the states, unlike other families. The report explains, “Texas being number one for Emotet detections in 2018 makes a lot of sense. As it is a very large state with a large population and numerous intelligence gathering and analysis locations throughout the state (government-sponsored) – including multiple military bases and a technology hub in Austin… Like Texas, Emotet has been heavily detected in Oklahoma and North Carolina and other states to a lesser extent”.
TrickBot and SamSam infections too have been discussed in detail in the report.
The Malwarebytes report points out that fileless attacks have been highly successful since most security solutions today are designed to detect file-based malware. The traditional security solutions are not designed to detect and remove malware that resides in the system memory rather than on the disk. The report observes, “This growing gap in protection has led to a tremendous increase in attacks, compromises, and resulting data theft from fileless attacks. In fact, fileless malware attacks are estimated to account for 35 percent of all attacks in 2018, and they’re almost 10 times more likely to succeed than file-based attacks, according to a recent Ponemon Institute report”.