Fileless malware isn’t new today, but a ransomware virus that incorporates a combination of these filess characteristics can be very dangerous. Security researchers at Trend Micro have recently discovered a new fileless “Sorebrect” ransomware which injects malicious code into a legitimate Windows process (svchost.exe) on a targeted computer, and then self-destructs itself in order to avoid detection by anti-virus solution. Sorebrect ransomware also removes the infected system’s event logs and other timestamps that allows to prevent Sorebrect’s activities from being tracked and analysed.
Unlike typical ransomware strains, Sorebrect virus has been created to target enterprise’s servers and endpoint. This ransomware first compromises administrator credentials by brute forcing or some other ways and then uses Microsoft’s Sysinternals PsExec command-line utility to encrypt files. Sorebrect also scans the local network for other connected systems with open shares and encrypts files on them as well. The Sorebrect ransomware then eliminates all event logs (using wevtutil.exe) and shadow copies (using vssadmin) on the compromised computer that could provide forensic information, which makes this malware quite hard to detect.
Trend Micro’s experts have detected Sorebrect activities in Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S. industries including manufacturing, technology, and telecommunications.
“Given ransomware’s potential impact and profitability, it wouldn’t be a surprise if Sorebrect turns up in other parts of the world, or even in the cybercriminal underground where it can be peddled as a service,” said the researchers.
How to Protect Against Sorebrect Attacks?
- Restrict user write permissions;
- Limit and secure the use of PsExec;
- Back up your important data regularly;
- Keep the system and network updated;
- Deploy multilayered security mechanisms;
- Conduct regular cybersecurity-aware trainings for employees.