While the concept of memory-resident malware is nothing new, it wasn't a major threat until 2016 or 2017. Kaspersky Lab discovered widespread fileless attacks in February 2017. Governments, banks, and telecommunication businesses were the most frequent targets.
A 2017 report from the Ponemon Institute found that 28% of all online attacks that year were fileless, and the success rate was far higher for them than for file-based malware. Since then the growth rate has been explosive. Fileless malware saw a 265% increase in the first half of 2019, compared with a year before.
When one approach becomes less successful, criminals try another. Anti-malware software blocked many attempts to deposit hostile code files on target systems, so the attackers increased their use of methods that don't require doing that.
The escape of the EternalBlue exploit from the NSA marked a significant turning point. It exploits a vulnerability in older versions of a Microsoft messaging protocol. EternalBlue in itself is fileless, but it's often used in conjunction with file-based ransomware and other malware.
Fileless attacks have the disadvantage, from the attacker's viewpoint, of being less persistent. Some last only as long as an HTTP request and response; most can be flushed by rebooting the computer. The new tactic is to infect the target repeatedly, rather than relying on it to stay there. As long as the attack isn't detected, the same technique will keep working. It can run in intermittent bursts to decrease the chances of detection.
The news media's focus has been mostly on attacks on personal computers, usually on the Windows PowerShell and Registry. Fileless attacks on servers are less exciting for the average computer user, but they're a serious cybersecurity threat to IT departments. A successful attack on a Web server or database is a more serious concern than one on a workstation. A lack of publicity doesn't mean a lack of risk.
Small businesses are frequent targets because criminals think they're less well protected.