How Fileless Ransomware Works

cover of fileless ransomware

As ransomware becomes an increasingly lucrative business, organized crime groups are expanding their operations to reach more victims and extract more ransoms. Meanwhile, security measures are getting better at detecting and blocking ransomware, forcing cybercriminals to constantly develop new techniques to evade detection. One of these advanced techniques involves “fileless”, where malicious code is either embedded in a native scripting language or written straight into memory using legitimate administrative tools such as PowerShell, without being written to disk.

This infographic describes how fileless PowerShell-based ransomware works.

Fileless ransomware is extremely challenging to detect using signature-based methods, sandboxing or even machine learning-based analysis. CrowdStrike has developed a more effective approach using Indicators of Attack (IOAs) to identify and block additional unknown ransomware and other types of attacks. IOAs look for early warning signs that an attack may be underway, signs which can include code execution, attempts at being stealthy, and lateral movement, to name a few. By identifying in real time the execution of these activities, their sequence and dependencies, IOA technology can recognize them as early indicators that reveal the true intentions and goals of an attacker.

To learn more, download the white paper, “Ransomware: A growing enterprise threat.”


  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center