Fileless Ransomware is a malvertising campaign. This file-less exploit uses pop-ups and redirects in order to distribute ransomware. The campaign is called Fessleak, because all domains used in it are registered with firstname.lastname@example.org email address. Here is how it works.
Cyber crooks set up a short-lived burner domain with a DNS that is only active for 8 hours. This domain directs to a landing page that hosts the payload. Then the hackers bid for ads pointing to the burner domain. Once their adverts are placed on the well-known webpage, all that needs to happen is for someone to click on them. If a computer user clicks on the fake ad, he gets redirected to the malicious domain and then to the landing page. This campaign ends as soon as the DNS expires and then is repeated with a new burner.
The malicious file that gets onto the computer is not added to the storage unit of the PC, but rather it is extracted directly from the system memory. The extraction is done using the extrac32.exe tool. The malware comes with a protection against virtual environments that are usually used to analyze malicious programs. The ransomware that gets installed on your computer is called Cryptolocker.
Cryptolocker is a harmful application that enters your system and encrypts your files. The infection can corrupt photos, videos, documents and other important data. After the encryption is complete, it displays a ransom note on your screen. The message states that if you want to regain access to your files, you must pay a certain amount of money. The sum may vary, however, it usually has to be transferred via an online money transfer system like Ukash or Paysafecard. Needless to say, following these instructions does not guarantee anything. Trusting that the cyber criminals will keep their end of the bargain is not a good idea. If your PC gets infected, you need to terminate Fileless Ransomware yourself without wasting your money on the promises coming from unreliable sources.
Fessleak exploit first appeared in October, 2014. The sites that it has been spotted on include such popular pages as huffingtonpost.com, cbssports.com rt.com, thebrofessional.net, howtogeek.com, thesaurus.com and others. The new version of the malvertising campaign drops a temporary file via Flash and makes calls to an executable file, icacls.exe. This file sets permissions on other files and folders. It is very likely that the malicious binary rotates its hash value in order to hide from anti-malware programs.
As you can see, the various methods that hackers use in order to infect personal computers are getting more and more tricky. That is why it is imperative that you do all you can to keep your PC safe. Stay away from untrustworthy ads and links, do not visit suspicious websites or download email attachments from unknown senders. And, most importantly, make sure that your system is properly protected by installing a powerful anti-malware utility and keeping it up-to-date.