As the lazy days of summer approach and before you start to fire up your grill and assemble and launch a collection of dazzling fireworks, it makes sense to take some time to inform yourself about a growing cybersecurity threat for your small business: fileless malware. This latest insidious type of malware is a real concern for businesses of all sizes.
In this blog post, we will explain how this threat occurs, why it’s dangerous, and what steps your small business should take to protect itself.
Ransomware Threat Diminished in 2018
Last year’s main cybersecurity threat was ransomware, with the most famous example being the WannaCry virus. Ransomware attacks use a Trojan virus that gains access to systems primarily through “phishing” messages sent to company employees via unsolicited emails, links, and attachments. Once a user is lured into clicking the executable file, the virus then gains access to the system and locks out legitimate users. The hackers then demand some type of ransom, usually in Bitcoin, before they will send a decryption key to the victim so that they can regain access to their system.
Experts estimate that ransomware cost companies more than $5 billion in 2017. However, as companies have become more aware of the dangers and techniques of ransomware, and taken solid steps to defend against it, the number of ransomware attacks has plummeted in 2018.
Cybercriminals unfortunately don’t disappear when one type of malware becomes ineffective; instead, they regroup and develop new techniques to get around the latest cybersecurity measures. As a result of the successful defensive methods against ransomware, many hackers have transitioned into new types of cybercrime, with a growing focus on fileless malware.
Fileless Malware Presents a New Type of Threat
In contrast to the ransomware type of cyberattack, cybercriminals using fileless malware do not employ executable files to gain unauthorized access, but use non-executable malware in the computer’s memory. This feature makes detection of the malware extremely difficult for traditional anti-malware tools that are designed to search for potentially hostile new files. For example, hackers use Microsoft’s own integral components such as PowerShell and Windows Management Instrumentation (WMI) to breach normal defenses. The cybercriminals use malicious macros at the command line level to trigger these tools to load the malware onto the machine or network.
A quick summary of how hackers use fileless malware to gain unauthorized access to a company’s network: Similar to other types of malware, a user first has to be lured into clicking on a spam email link that loads Flash onto their computer. Hackers then use Flash’s vulnerabilities to open Windows PowerShell and then execute a malicious script from a command and control server. This script then locates and sends sensitive user data to the cybercriminal.
This type of attack is especially hard to defend against as it gets around most typical anti-virus and anti-malware products by not utilizing an executable file that can quickly be detected and quarantined. Since PowerShell and WMI are trusted components of Windows, any commands made from them are implicitly followed and not stopped by typical security software.
What makes fileless malware even more dangerous than typical malware is its ability to reside in a company’s system for long periods of time without detection. With the insidious camouflaging ability of fileless malware, a bad actor can take their time quietly gathering sensitive stored data and can also quickly access new data when it comes into the network.
The Fileless Malware Threat Will Continue to Grow in the Near Future
Even though different forms of fileless malware have been around for some time, the recent development and affordability of new exploit kits for hackers, has greatly increased the number of attacks. The SANS 2017 Threat Landscape Survey revealed that more than a third of organizations polled had reported experiencing fileless malware attacks in 2017. As a result of the effectiveness of this type of malware and its increasing availability for hackers of all sizes and sophistication, the number of fileless cyberattacks will rise considerably in 2018.
Recommended Steps to Defend Against Fileless Malware
Employees remain the weakest link
As with other forms of malware, employees still remain the weakest link. Your company should maintain strict email and internet use protocols with required training and education on the most recent cybersecurity threats. Employee internet and email behaviors that must be prohibited include clicking on website links, visiting unknown websites, downloading illegal or pirated software and media, opening attachments, and responding to email offers. Your employees should also always use strong passwords and practice password change control.
In addition, your company should always monitor and restrict the number of employees with access to sensitive data.
Keep applications, operating systems, and anti-virus tools updated
This should be standard procedure already, but it makes sense for your company to always update all applications, operating systems, and anti-virus tools in order to have the highest level of protection against fileless malware as well as other malware.
Disable Macros, PowerShell, and WMI as necessary
In consultation with your IT Support provider and/or cybersecurity partner, your company should look closely at disabling macros and restricting the use of PowerShell and WMI as necessary during your business operations. There is no reason to leave your company more exposed to cyberattacks when you can readily control the use and timing of these functions.
Utilize Behavioral Detection Techniques
Working with your IT Support provider and/or cybersecurity partner, your company should take the time and effort to establish regular reviews of your system’s usual behavior patterns against a healthy baseline to help detect possible unauthorized access. For example, finding a PowerShell session executed using an encoded command via the command line is a typical red flag. In addition, your company should also regularly monitor security logs to determine if large amounts of data are leaving the network for any reason. A large data transfer could signal that a hacker has compromised your system and is stealing sensitive information
Work closely with your IT Support Partner
The most important recommendation we can give on this and similar matters is to work closely with a trusted IT Support partner with strong credentials in cybersecurity, such as Network Depot, to ensure that your company is well protected against the growing threat of fileless malware. A reliable IT partner will have the experience and knowledge to effectively deal with current and future cybersecurity issues and will allow your company to focus on its core business objectives.