Over the past several years ransomware attacks have become the preeminent threat in the cybersecurity industry. It is no secret as criminal gangs are getting more and more creative, that the attackers are gaining an edge over defenders as companies ranging from small businesses, to cities, to Fortune 500 organizations are constantly showing up in the news getting hit. The latest technique leveraged by attackers is the use of fileless malware, allowing ransomware to become more evasive, stealth, and effective in gaining persistent access to critical data. This article focuses on discussing the role that fileless malware plays in modern ransomware attacks as well as how to stop these attacks. As such, the article can be summarized with the following:

Ransomware Background

Over the last decade two primary attack methodologies have arisin within the endpoint malware domain: wipers and ransomware. Wipers, such as what was used in the NotPetya attacks, mostly are leveraged from nation-state actors for military purposes with the intent of destruction [1]. As was the case in the previous NotPetya example, the primary intent of the Russian proxy actors in the Sandworm APT was to destroy critical infrastructure within Ukraine, resulting in the shutdown of the power grid. These attacks are less common, but are more devastating and sophisticated when inflicted, mainly due to the amount of resources that have been put into developing them.

The second type of attack is a ransomware attack. Ransomware attacks are more common, and often leverage more known vulnerabilities and tactics due to their use by criminal organizations versus nation-states. The primary goal is extortion of money versus actual malice, making these organizations operate similarly to actual businesses. For example, in 2021, the Conti Ransomware gang made $180 million in revenue [2], far more than the average company and even a significant portion of the organizations that they targeted. As such, it is important to remember this fact in assessing the strategies of these actors.

Since their primary goal is to maximize revenue, mainly the amount of money that they extort, attackers have to optimize between two factors: ease of attack, and the amount of money that they can extract. The combination of these factors culminates in what is determined as return on investment.

Return on Investment (ROI) = Ease of Attack x Financial Reward

1. Ease of Attack — The difficulty in compromising a victim organization, namely how many resources attackers have to dedicate to an attack campaign.
2. Financial Reward — The amount of money that can be extracted from a victim organization either through a fee to restore encrypted files, or the sale of sensitive exfiltrated data.

Keeping in mind the above equation, ransomware gangs have two strategies to optimize ROI, they can prioritize ease of attack or the financial reward that they receive if they are successful. For the first strategy, the goal is volume. Ransomware gangs hope to be able to leverage low hanging vulnerabilities, often previously disclosed but unpatched bugs, that are easy to exploit but are generic in scalability, that allows for maximum volume of victims. Additionally, open source and leaked malware code are often leveraged for easy and rapid development of tools. This is the most common strategy as it is easier to take advantage of the homogeneity of target systems to develop scalable exploits against smaller organizations.

The second strategy encompasses pursuing hard to exploit targets that have larger security budgets but will also pay out more. These are often the holy grail targets that you see in the news such as governments and Fortune 500 organizations. Even though this second strategy is often what we as the public see more of in the news, the first category happens far more behind the scenes, effecting small businesses to even the point of bankruptcy and closure. This can be backed up by the statistic that in 2023, the average victim payout was in the hundreds of thousands while the average extortion request was approximately $5 million [3].

A new Asymmetric Opportunity for Attackers

Up until this point, the two components making up attacker ROI were generally disjoint. Attackers could either take a volume, or financial reward approach but not both. This was generally attributed to ease of attack requiring the use of open source or previously leaked ransomware code. As such, these attacks would be mostly effective against smaller organizations without the resources to hire large security teams. These attacks would often be caught by the larger organizations because their cybersecurity teams would also have the knowledge of the general open source and leaked code on the dark web. This resulted in a tendancy of the cybersecurity industry to leverage these evolving codebases (often referred to as malware families) in order to identify signatures of the presence of each one respectively. Security companies can and have built AI models to detect the presence of a downloaded file that contains code similar to that found in previously seen malware families. This approach has worked pretty well up until the past couple of years.

Over the past three years, a new technique has become mainstream among attackers: fileless malware. Fileless malware, which was originally limited to nation-state actors due to the complexity and sophistication required, has been spreading to the criminal organization segment due to leaks and disclosures of open source tools on the dark web. These techniques are now providing a new emerging asymmetric opportunity to attackers, allowing them now to have the best of both worlds, leveraging easy existing code bases, while also being able to target victim organizations.

Existing cybersecurity solutions have traditionally been very good at scanning for signatures of previously identified malware family code bases within analyzed files. Due to the nature of fileless malware, since there is very limited to no trace of the malicious code segments exposed to the filesystem, security products even among the largest and most sophisticated organizations are severely hindered from detecting the malware. Furthermore, by leveraging existing in memory code to disable and spoof endpoint protections, malware can gain the freedom to execute under the radar for longer periods of time. By the time malware is eventually detected by security operations center (SOC) analysts after the fact, it is often too late.

With these presented benefits, it is no wonder that fileless techniques are exponentially increasing in their use within modern ransomware, estimated to now be incorporated in as much as 90% of modern attacks [4,5]. Looking back again to the primary motivations and strategies of ransomware organizations, here are the most notable benefits.

1. Evasion — By preventing the exposure of malicious code to the filesystem, and by leveraging in memory manipulations to bypass and disable existing protections, it is easier for ransomware to evade even the most sophisticated defense solutions.
2. Persistence — With the rise of ransomware as a service (RAAS) strategies, fileless techniques such as rootkits enhance persistence capabilities and allow for stealth access to victim systems over longer periods of time before detection. This allows for a larger victim base to provide to customers, resulting in increased revenue.
3. Reuse of Existing Code — By leveraging anti-analysis checks and dynamic code protection schemes such as polymorphic generation, obfuscation, and encryption, existing software that would normally be detected can now be leveraged in new malware. This means that new ransomware tools can be developed at a faster pace, allowing for a more significant edge over defenders.

Anatomy of a Fileless Attack

The primary benefit of a fileless attack is the fact that malicious code can be hidden within the context of a normal application’s process memory. In order to illustrate the process of a fileless attack in more concrete terms, lets use the example of the recent Guloader malware [6]. In the figure above the attacker can first gain entry onto the target system through a technique such as a phishing email. Additionally, other techniques can be used such as leveraging a remote code execution vulnerability or leaked credentials. After this step, an attached file is downloaded onto the target system, after which an included macro is run to fetch the first stage Guloader shellcode. This stage is what can be referred to as a dropper. Since this macro is technically exposed to the filesystem scanning layer, there is no included malicious code since that of which is hosted on a remote server.

After the dropper is executed, a Powershell session will be opened which will download the first stage Guloader shellcode from a remote server (i.e. Google Drive). This shellcode will disable protections on the target system. After this step, the shellcode will download the second stage payload into the Powershell process memory which will actually run the malicious code. After this point, the ransomware operations can be executed undetected whether that be to encrypt files, command and control or data exfiltration.

It is important to note that even though the malicious code is run inside process memory, what actually can be detected by defenders is the interaction with the filesystem or operating system. For example, analyst’s in the SOC may be able to observe that files are being encrypted. However, forensic analysis has to be conducted to identify what is doing the malicious behavior and by that point it is often too late. Further, if attackers choose to use less overt mechanisms for their objectives, it makes it virtually impossible for defenders to detect less noisy actions such as data exfiltration.

Shifting Defense Strategy to Mitigate Fileless Ransomware

As previously mentioned, a majority of cybersecurity solutions have traditionally focused on detection and response, prioritizing scanning for indicators of compromise and malicious activity. As such, it is common practice to build AI models to detect for these known, previously observed features. In the event though that a new type of vulnerability is leveraged, code is obfuscated/encrypted, or siloed for in memory execution, it is very difficult for these approaches to be effective.

To better address these under the radar activities, it is our view that a more proactive approach is needed, instead focusing on the common TTPs that lead to the fileless malicious activity. By using this approach instead of individually focusing on each malware family, a security by design mindset can lead to protecting against new and obfuscated malware variants regardless of if scanning solutions can identify IOCs or malware signatures. Some of the most effective indicators to look for to address the common defense evasion TTPs associated with fileless ransomware include:

1. Obfuscated Powershell Commands — Malicious code downloaded from dropper programs into Powershell often include obfuscated commands in order to evade scanning protections. By changing names slightly, malware can bypass the AI models which are looking for very specific patterns.
2. Reflective Assembly Loading — Malicious code downloaded from dropper programs into Powershell often need to import encoded DLL binaries into the runtime environment. Reflective loading is a common technique to import compiled binary code into the current .Net runtime environment.
3. Suspicious Powershell Loading — It may be common to start Powershell from the desktop (i.e. explorer.exe), but there are often very few normal reasons for Powershell to be called from a macro program such as Word, Excel, or Adobe.
4. Manipulation of Process Memory — Leveraging system calls such as VirtualAlloc are key indicators to malware attempting to overwrite existing process memory. These are common in attack techniques such as process hollowing, and antivirus bypass activities.
5. Interaction with TMP memory, Registry, and Task Scheduler — Even though fileless malware executes mostly in process memory, there are often snippets left behind for the purpose of persistence. The most common locations include in temporary memory, the registry, and task scheduler. Even when these are used, code is often obfuscated and malicious components are removed to avoid detection. However, a lot of times simply the fact that a suspicious string or binary is written to these locations is enough to warrant further investigation.

How ARMS Cyber can help

The Arms Cyber ransomware solution employs a comprehensive, multilayered defense-in-depth approach that combats ransomware at every stage of execution. Utilizing a mix of cutting-edge strategies, traditional defenses are transformed into a moving maze, designed to disorient and effectively disrupt even the most advanced attackers. From initial intrusion, through attempts at evasion, to malicious payload execution, Arms  Cyber identifies and neutralizes ransomware threats earlier and more effectively compared to signature-based and behavioral methodologies.

‍

References:

1. https://www.cisa.gov/news-events/alerts/2017/07/01/petya-ransomware
2. https://www.wired.com/story/conti-group-ransomware-members-reward-target/#
3. https://info.zscaler.com/resources-industry-reports-2023-threatlabz-ransomware-report
4. https://news.sophos.com/en-us/2023/11/09/memory-scanning-leaves-attackers-nowhere-to-hide/amp/
5. https://www.blackfog.com/what-is-malvertising-and-how-to-stop-it/
6. https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/