Trend Micro: New version of the Netwalker ransomware in the wild. It is a fileless malware, which runs directly in the victim’s operating system RAM. It takes advantage of DLL injection
There is a new version of the Netwalker ransomware in the wild, even more dangerous than the previous one. Trend Micro’s cyber security researchers discovered it. Fileless cybercrime malware runs directly in the victim’s operating system RAM, without storing the malicious file on the hard disk. This is to avoid being detected by antivirus and defense software. The code is written in PowerShell and uses a technique called dynamic-link library (DLL) injection, also known as reflective loading. This type of attack allows to inject a DLL directly into the memory of the “explorer.exe” process and then remove the backup copies of the files of the attacked system, as well as disable the software used to identify threats, such as antivirus. The ransomware can then freely encrypt the documents on the infected system and then proceed to the ransom note.
Cyber Security Experts: Cybercrime mainly encrypts common files, but avoids making the system unusable. This same technique had been used to spread ColdLock
Netwalker mainly encrypts common files such as Microsoft Office documents, PDFs, images, audio, video and text files. According to cyber security experts, however, cybercrime does not want to make the system unusable. In fact, the ransomware avoids encrypting executables, Dynamic Link libraries, registries or other system files. All devices running Windows are vulnerable to malware attack. Furthermore, this same system had recently been used by cyber criminals to spread another ransomware: ColdLock.