Malwarebytes: Fileless ransomware an emerging threat for U.S.

A completely fileless ransomware, dubbed Sorebrect, is "one of the first of its kind" to combine traditional ransom functionality with fileless tactics, according to a new Malwarebytes report.

In "Under the Radar: The Future of Undetected Malware," Malwarebytes detailed four fileless attacks observed throughout 2018, including Emotet, TrickBot, SamSam and Sorebrect. The report referenced a study from the Ponemon Institute, which stated that "fileless malware attacks are estimated to account for 35% of all attacks in 2018, and they're almost 10 times more likely to succeed than file-based attacks."

The report emphasized these four malware families pose as a serious threat to businesses. For example, Malwarebytes stated that "between January and September 2018, Emotet malware was detected and removed more than 1.5 million times using Malwarebytes." While Emotet was found to be most active in the U.S., an increase in activity was also seen globally in counties such as the U.K., Philippines and Canada.

One of the biggest targets in the U.S. for Emotet was Texas. Adam Kujawa, director of malware intelligence at Malwarebytes, based in Santa Clara, Calif., said he believes this to be due to the fact that Texas holds a large population, several military bases and a growing tech industry.

Sorebrect has also made its way to the U.S. It was first seen in Middle Eastern countries in 2017, infecting networks of primarily manufacturing businesses. But Malwarebytes said the fileless ransomware was discovered this year in several states, including Missouri and Tennessee.

"Lucky for us, this threat hasn't had a great spread and we haven't observed any copycats of this functionality making big splashes, yet," the report stated. "However, it's just a matter of time before somebody perfects this infection method and using the computer becomes a bigger risk."

Kujawa said Sorebrect combines traditional ransom functionality with fileless tactics and targets network shares.

"The most popular ransomware right now, being GandCrab, has all kinds of capabilities. But the fact is that [Sorebrect] is a new evolution of ransomware, something that we haven't really seen before. And it's almost guaranteed to be copied in the near future," Kujawa said. "The main way of infection when it comes to fileless malware is either through some kind of script exploited through an exploit script or exploited through a malicious Office document. Either way, it allows the ransomware to reside in memory without putting anything on disk, hanging out for as long as it wants until it wants to start encrypting things."

The risk Sorebrect poses becomes further evident, as it doesn't need a human to launch it. While its delivery mechanism is not fully known, Kujawa said it is believed the fileless ransomware is  partially spread through exploit kits and malicious spam campaigns.

"Once it is on the system, what happens usually with any sort of fileless malware is that it will find some way to make itself resistant. Otherwise, once you leave it with the computer, it's gone," Kujawa said. "So, in many cases, they'll create malformed registry entries or keys and have code in them. And every time the computer reboots, it launches that code, that code reaches out, grabs the malware and infects the system again. With Sorebrect, since it can encrypt everything, I imagine that after the initial infection and once it starts encrypting, it probably makes itself known."

In order to protect against threats such as fileless ransomware, the report recommended enterprises expand their current protections beyond signature-based malware detection and adopting behavioral detection. In addition, Malwarebytes suggested enterprises focus more on blocking delivery mechanisms for threats, specifically email messages, and use security products with self-defense modes that can prevent malware from disabling or removing it from a system.