The following infographic and description was provided by security company CrowdStrike.
As ransomware becomes an increasingly lucrative business, organized crime groups are expanding their operations to reach more victims and extract more ransoms. Meanwhile, security measures are getting better at detecting and blocking ransomware, forcing cybercriminals to constantly develop new techniques to evade detection. One of these advanced techniques involves “fileless”, where malicious code is either embedded in a native scripting language or written straight into memory using legitimate administrative tools such as PowerShell, without being written to disk.
This infographic describes how fileless PowerShell-based ransomware works.
Fileless ransomware is extremely challenging to detect using signature-based methods, sandboxing or even machine learning-based analysis. CrowdStrike has developed a more effective approach using Indicators of Attack (IOAs) to identify and block additional unknown ransomware and other types of attacks. IOAs look for early warning signs that an attack may be underway, signs which can include code execution, attempts at being stealthy, and lateral movement, to name a few. By identifying in real time the execution of these activities, their sequence and dependencies, IOA technology can recognize them as early indicators that reveal the true intentions and goals of an attacker.