Researchers and analysts at Trend Labs have discovered a new fileless ransomware which they have termed Sorebrect. Although fileless ransomware is by no means new, this latest variant displays some cunning features intended for it to evade detection and frustrate forensic audits. The variant was first discovered infecting systems in Lebanon and Kuwait, however, it has recently been seen infecting systems as far afield as Canada, China, Croatia, Italy, Japan, Mexico, Russia, Taiwan, and the U.S. Sorebrect seems to be specifically targeting companies within the manufacturing, technology, and telecommunications industries. Experts further believe that this new variant will in all likelihood appear in more countries or even peddled as a Ransomware as a Service (RaaS) on the Dark Web to serve criminal organizations in extorting money from victims.

Put simply Sorebrect utilizes code injection to inject malicious code into a legitimate system process, in this case, it utilizes the svchost.exe on the targeted system. Then it deletes itself in order to evade detection. It is clear, particularly when compared to recent ransomware attacks, that this can potentially signal an escalation in the cyber arms race security experts are struggling to contain.

Sorebrect’s Attack Chain

As was mentioned above Sorbrect abuses the legitimate svchost.exe. However, it first abuses the PsExec, a legitimate, Windows command-line utility that lets system administrators execute commands or run executable files on remote systems, in order to install Sorbrect. Thus allowing the malicious code to be installed remotely. This is similar to how SamSam and Petya abused legitimate processes to install malicious code. Then the malicious code is injected into the svchost.exe, after that it deletes itself, essentially making it fileless. Once this has occurred it then relies on the svchost, a Windows service hosting system process, to execute the payload by encrypting the relevant files.

Sorebrect ransomware appends ".pr0tect" extension to encrypted files:

The analysts who discovered Sorbrect wondered why the creators of the ransomware decided to use PsExec rather than use Remote Desktop Protocol (RDP) to install. It became apparent that in order to both inject code and become fileless the use of PsExec was simpler and far more effective. PsExec also came with another advantage in that it allowed attackers to remotely execute commands. In order to delete itself and the logs, making detection and forensic audits tough, Sorbrect utilizes wevtutil.exe and vssadmin respectively. Further, the ransomware uses a Tor network protocol in order to remain anonymous when communicating with its command-and-control server. Lastly, but in no mean least, Sorbrect can encrypt files shared via a local network, thus encrypting files used by other systems connected to a network. For large organizations infected with the ransomware, this could make important daily tasks nearly impossible to complete.

Sorebrect ransomware presents a ransom demanding message in “READ ME ABOUT DECRYPTION.txt” file:

Steps to prevent Sorebrect infection

While this ransomware variant does not employ a new attack vector in infecting machines, it is most certainly more advanced and cunning in how it intends first to inject malicious code, then delete itself and logs to evade detection. Although it uses methods previously used by other malware it is by no means less dangerous as it employs those tried and tested measures far more effectively and the threat posed should not be taken lightly.

The analysts at Trend Labs have advised the following best practices should be adopted in order to prevent system infection from this fileless type of ransomware: