Barkly vs Malware
Jonathan Crowe
Jun 2017

Blocking Sorebrect Ransomware's Fileless Infection Technique


Photo by Source

The attackers behind Sorebrect ransomware have been spotted deploying a new fileless, code injecting infection technique in the wild.

Watch this fileless ransomware attack in action — and see Barkly block it below:

As researchers at Trend Micro first reported, attackers are abusing Windows command-line utility PsExec in order to filelessly infect remote machines with Sorebrect ransomware — a variant based on AES-NI and XData. If PsExec sounds familiar that's because it was also recently used to spread NotPetya

The good news is not only does Barkly block Sorebrect, it also blocks this new technique.

To explain how, let's take a closer look at Sorebrect's attack chain. 


Sorebrect ransowmare's fileless attack chain. Source: Trend Micro

Exploiting PsExec to spread ransomware filelessly

Before we dive into Sorebrect's infection process and what makes it interesting, note that in order for this process to work there are a few prerequisites:

  • An attacker already needs to have gained access to a compromised machine on the network. This could be accomplished in any number of ways — via an exploit, phishing, a backdoor created in a previous attack, or, in the case of NotPetya, a malicious software update, etc.

  • The attacker needs to be operating with domain or admin credentials. This can be checked off using a tool like Mimikatz ("the Swiss Army knife of Windows credentials") to extract passwords from memory. 


  • Any remote machines targeted for infection need to be brute-forced. Yet another reminder of how important it is not to use default or easily guessable passwords.

So why go to the trouble of using PsExec?

In a word: stealth. 

With those dominos in place, an attacker can go happily about abusing PsExec to infect remote machines without all the fuss of manually transferring the ransomware payload from one machine to another. Instead, all the attacker needs to do is issue a single remotely executable command to launch Sorebrect.

Once deployed onto a target machine, Sorebrect injects code into into svchost.exe — a legitimate Windows service-hosting system process — to run the encryption routine while the original binary self-destructs. That turns the infection into a fileless attack, which helps it evade detection by file-scanning solutions like AV, and makes it harder to trace.

Sorebrect further covers its tracks by using wevtutil.exe to delete the system’s event logs. While it's at it, the ransomware also utilizes vssadmin.exe to delete shadow volume copies, removing the possibility of the victim using them to restore their encrypted files. 

Encrypting network shares

Sorebrect also has the ability to spread over open network shares. According to Trend Micro, it does so by scanning the network, enumerating open shares, and initiating connections on live hosts.


Sorebrect attempting to spread over an open network share. Source: Trend Micro

Barkly provides layered protection against Sorebrect

In addition to blocking the Sorebrect ransomware payload, itself, Barkly's runtime malware defense is also designed to recognize and block the type of malicious process injection Sorebrect relies on to carry out its attack "filelessly". 

That means not only are companies that use Barkly protected from Sorebrect (should it be delivered via PsExec by any other means), they're also protected from any attacks that leverage this fileless technique, regardless of the malware being delivered. 

Learn more about how Barkly blocks ransomware here. 

Infection sans user interaction is a growing trend

Fileless attacks — particularly those that misuse otherwise legitimate system tools and processes — are on the rise, and the ways they're being initiated are evolving. 

Gone are the days when trying to trick a user into opening an email attachment was the most common way to deliver ransomware. Instead, more and more attackers are now showing a strong preference for removing the "will (s)he/won't (s)he?" variable and bypassing user interaction altogether. 

There's of course the WannaCry and NotPetya outbreaks — the most prominent recent examples of ransomware attacks exploiting system vulernabilities rather than human ones — but there's also the fact that, according to Webroot, two thirds of ransomware infections in Q1 2017 were delivered via Remote Desktop Protocol (RDP).

Two thirds of ransomware infections in Q1 2017 were delivered via RDP.

Tweet this stat

Source: Webroot

The groups behind Dharma, CrySiS, SamSam, Shade, Apocalypse, and other ransomware are all using RDP as an attack vector. From Q4 to January 2017, RDP attacks spreading CrySiS alone doubled

Sorebrect's abuse of PsExec is very similar to those variants' abuse of RDP, but it's even simpler and more direct. Considering how quickly attack groups jumped on RDP, it would not be surprising to see this technique gain wider adoption fairly quickly.   

What to do if you've been infected with Sorebrect

Sorebrect has been linked to AES-NI and XData ransomware, and since decryption keys have been released for those variants, there is a chance victims may be able to use ESET's AES-NI decryption tool to recover their files. 

According to Trend Micro, Sorebrect is currently adding a .pr0tect extension to encrypted files. If you think you've been infected with that version or a new variant of Sorebrect, visit ID Ransomware, where you can upload a copy of the ransom note or an encrypted file to confirm. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Protect your company from fileless attacks

See how Barkly’s Runtime Malware Defense blocks fileless ransomware attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.