By Trevor Hilligoss, Senior Director of Security Research at SpyCloud
Ransomware attacks are a fact of life – over 72% of global businesses have been impacted by ransomware in 2023. This number rises in U.S., Canadian, and U.K. organizations, with over 81% affected at least once in the past year, according to a recent SpyCloud survey.
Despite the continued threat, 79% of security leaders in North America and Europe are confident in their ransomware defenses, highlighting a disparity between the industry’s assessment of its cyber preparedness and the efficacy of current cybersecurity strategies.
This disconnect is partially due to the evolving methods criminals employ. Traditionally, data encryption was the biggest problem facing organizations impacted by attacks, and businesses countered by implementing data backups. However, the ransomware landscape has shifted, and cybercriminals are increasingly relying on malware-exfiltrated data to carry out more devastating attacks.
Missing the Mark on Malware
According to SpyCloud, information-stealing malware infections (or infostealer infections) preceded over one-fifth (22%) of ransomware events for North American & European businesses in 2023. And common infostealers such as Racoon, Vidar and Redline further increased the probability within a 16-week period between the initial infection and the ransomware event. Based on an analysis of data exfiltrated from infected devices in the past year, a similar percentage of victim devices (20%) were equipped with at least one antivirus application at the time of the successful infection.
Threat actors use malware to exfiltrate authentication data, which they buy and sell on the darknet. Using this data, criminals can access an organization’s network, where they conduct initial exploration and steal additional data before deploying ransomware to incapacitate the target’s business operations or furthering the extortion through the theft of sensitive data.
Security leaders are not unaware of the malware threat. SpyCloud found 98% of IT leaders agreed they could improve security by better identifying business applications at risk of infostealer infections. Many companies have also begun taking technology-driven countermeasures, including automation, implementing multi-factor authentication (MFA), and adopting passkeys.
However, infostealers are challenging to detect and prevent, and security leaders struggle to keep up. While organizations can take precautions by educating employees and ensuring software protections are up to date, it’s impossible to avoid infections entirely, and advanced strains can exfiltrate data and delete themselves in seconds – leaving very few indicators that the device was ever compromised.
Piling on traditional protections like MFA is not the full answer. While implementing MFA is certainly a good idea, authentication data stolen by infostealers is not limited to usernames and passwords. This data often includes things like cookies, which can enable session hijacking; an unsophisticated attack where criminals use stolen cookies or tokens to impersonate a user. This attack gives criminals access to already-authenticated sessions, sidestepping the need for credentials, passkeys, and MFA. With all the permissions of a legitimate user, criminals can facilitate identity theft, unauthorized transactions, or steal additional data.
With over 22 billion malware-stolen cookie records recaptured by SpyCloud last year, session hijacking is a significant threat. Despite this, IT leaders view monitoring for compromised session cookies as the third least important ransomware countermeasure and least risky entry point. The fact is, however, addressing ransomware must start with a holistic malware remediation strategy.
An Elevated Approach for an Elevated Threat
The most common approach to remediating a malware infection starts and ends with the device and network impacted by the infection. However, this approach often ignores data siphoned by an infostealer – likely part of the initial attack – which can remain active long after the device has been wiped and the malware removed from the environment. Cybercriminals can use the stolen data to launch repeat cyberattacks against organizations and individuals, causing potentially irreparable damage.
Instead of this incomplete infection response, security leaders must gain knowledge and visibility into the authentication data stolen by the malware, quickly remediate the compromised credentials and invalidate the stolen web sessions for business-critical applications.
A comprehensive post-infection remediation process substantially reduces the risk of ransomware events tied to infostealer infections and closes previously overlooked exposures – including those resulting from infected personal or unmanaged devices accessing the network – stopping criminals in their tracks before they use malware-exfiltrated data to cause further harm.
About the Author
Trevor Hilligoss is the Senior Director of Security Research at SpyCloud and is an experienced security researcher with a background in federal law enforcement. Before leaving government service, Trevor spent nearly a decade tracking both cybercriminal and nation-state actors for the DoD and FBI and has presented at the US and international conventions as a threat intelligence expert. He holds a BA in Sociology, multiple federal certifications in the field of cyber investigations, and two Global Information Assurance Certifications (GIAC). Trevor can be reached online at