Fileless Malware

Antivirus and other security products attempt to protect against ransomware primarily through detection. Some use signatures while others use machine learning, heuristics, or other means. These techniques can be very useful against known and, in some cases, unknown malicious applications. However most of these techniques tend to fail when trying to detect new or unknown fileless malware.

Fileless malware is a type of malicious program that has no specific file associated with it. Typically, these programs will be running only in memory (RAM). In the past simply rebooting your computer, which clears the RAM, would be enough to remove the malware. However, today these fileless malware programs can use the registry, PowerShell, the WMI datastore, or other operating system features to remain persistent on your machine.

What makes fileless malware so hard to detect is that the typical techniques detect malware by scanning files and looking for specific functions, patterns, malicious characteristics or attributes about the file. Since there is no file associated with the malware it means the most effective detection methods we have fail to detect it.

Malware authors are increasingly using fileless malware to keep their products undetected. Poweliks and are two good examples of fileless threats. But it is not only click-bots and browser hijackers that are using fileless techniques. Ransomware, such as Sorebrect, also useg fileless techniques to bypass detection.