Viruses That Live Only in RAM

The number of new computer viruses grows every year. Hackers definitely do not lack imagination and motivation. Of course, antiviruses successfully cope with the most common malicious programs, moreover, even free antivirus solutions do it quite well. Security software vendors have also learned how to fight popular ransomware viruses. Antivirus vendors even start to create a special section on their websites dedicated to decrypting files locked by ransomware.

Regular viruses leave numerous traces on an infected machine. These are suspicious executable files, libraries, or just stubs of malicious code that the antivirus is able to detect. Finding and identifying such traces helps in removing the virus and minimizes its consequences.

But the confrontation between the sword and the shield is an eternal thing. Computer malware is not limited to only those pieces that leave traces on the drives. Some new viruses are designed to be located and acting only inside the RAM without touching the hard disk or SSD.

In 2014, there was a series of news and reports about the so-called RAM or fileless malware, but at that time it related to a rather narrow group of affected devices and systems like payment terminals.

Transaction data is considered secure as it is stored in encrypted form on payment system servers. But there is a very short period of time during which information for authorizing a payment is stored in plain text. And it is stored in the RAM of the payment terminal.

Of course, this information seemed too tasty for hackers just to walk past it. Several viruses appeared collecting information from RAM of POS-terminals – card numbers, addresses, security codes, and names. And then someone decided to go further, recollecting that desktop computers also have RAM.


In 2017, Kaspersky Lab published an article on how fileless malware hit computers in telecommunications companies, banks, and government offices in 40 countries.

How does the machine get infected:

  • The malware writes itself directly to the RAM, bypassing the hard drives.
  • Because of this, it cannot be detected during security checks.
  • Attackers use popular administration tools to write malware into memory — PowerShell, Metasploit, Mimikatz.
  • IP ranges belonging to Gabon, Mali, Central African Republic were used to transmit malicious data. Their domains are characterized by the fact that they do not retain WHOIS information about who owns a particular domain after the expiration date.

Cybercriminals had time to collect usernames and passwords of system administrators, which allowed to control infected hosts for very long time. And it is clear that with this ability to control an infected computer, you can make a lot of illegal actions. The main focus was on “milking” ATMs.

It is difficult to detect such viruses because they do not actually leave any traces. There are no installed applications. There are no files scattered across different places, including hidden or Temp folders.

But still, are there any traces?

Of course, if the virus does not leave traces on hard drives, there is no reason to look for them. So, what? That’s right – you check the registry, memory dumps and network activity. It is necessary for such viruses to somehow register in the memory (in such a way that viruses will keep working even after rebooting the machine), and then transmit data to the attacker’s server.

Security specialists carefully analyzed memory dumps and registry entries on infected machines and were able to reconstruct the attack using Mimikatz and Meterpreter.

Should I be afraid of this?

On the one hand – certainly yes. Whatever the virus is, it is not aimed at making your digital life more comfortable. On the other hand, a lot of viruses and the above-mentioned ransomware are several times more dangerous and much more popular among malware authors. For now, the main goal of such fileless malware attacks is financial institutions, not home users. But who knows how such malware will be used in the near future.