File-less ransomware spreads its tentacles

By Balamurugan Selvaraj Published on Jun 19, 2017 03:56 PM IST

Security researchers have found a new ransomware 'Sorebrect', which had breached a large number of computers in eastern countries.

Researchers at Trend Micro recently found this file-less malware that could infect vulnerable computers with RANSOM_SOREBRECT.A and RANSOM_SOREBRECT.B.

Found in middle-eastern countries, it is now spreading across the states of Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan and the United States.

According to the researchers, the ransomware encrypts the files of the victim in an unusual way. Unlike other ransomware, this file-less threat works by injecting code to a legitimate system process before terminating its main binary.

It deletes the event log and other forensic information about the files executed in the system including the time stamps as soon as it infects. The malware does this action to seek anonymity over the actions made by it.

Moreover, this ransomware infects large number of system in manufacturing, technology and telecommunication industry in major parts of the world.

The attack chain utilises the PsExec, a legitimate windows command-line utility to execute commands or run executable files on vulnerable remote systems. Through this flaw, ransomware instals on the system with administrator credentials and spreads to remote machines through brute force attack.

Interestingly, this is the first malware that misuses PsExec—SAMSAM, Petya, and  other derivative, PetrWrap to instal the ransomware on compromised servers or endpoints. And further it extends its atrocities and deploy PsExec to  perform malicious code injection. By destroying the main binary of the Windows, it injects svchost.exe process. Once the deployed ransomware completes the process, the injected svchost.exe encrypts the files of the system.

What about PsExec?

PsExec is commonly used in enterprise networks, providing system administrators flexibility with how they interact with remote machines. PsExec enables actors to remotely execute malicious command without providing log-in credentials in log-in session. In this ransomware, it makes more sense for the attackers to use PsExec since once the main binary is executed, the svchost.exe process injected with malicious code can still carry out the payload.

After injecting, it executes the payload and starts to encrypt the files in machine and in network.

Surprisingly, Sorebrect use Tor network protocol to seek anonymity over the connection.

Besides the system, computers connected over the LAN have the possibility of infection. According to the team, "It does it by scanning the network for asset discovery and enumerating open shares — folders, content or peripherals like printers and biometric devices, which can readily access the system through  network. Once a live host is identified, it initiates a connection after discovering the shares. Authentication would succeed if it’s an open share. If the share has been set up such that anyone connected to it has read-and-write access to it, the share will also be encrypted."

Researchers also mentioned about the safety measures to avoid this ransomware  attack. They wrote, "Restrict user write permissions. Review the permissions for each user in the domain yields better security. Configuring the security of shared files and folders on a network is recommended. Limit privilege for PsExec. Limiting and securing the use of tools and services such as PsExec and providing permission to run them only to administrator accounts helps to mitigate threats."

Importantly, back up files regularly on separate medium to avoid loss of files. And you would have heard this suggestion many times: use updated software and have the habit of updating the system regularly.