The ransomware warning sign we should all have on our radar

The cybersecurity community talks a lot about ransomware attacks: who the latest ransomware gangs are, common attack vectors, how much companies are shelling out in ransom payments and what the proper incident response protocols are for security teams.

That all matters, of course. By and large though, security teams are already aware of the threat ransomware poses due to firsthand experience. In 2023, 81% of companies were affected by ransomware in the preceding 12 months. Reported effects vary widely, from needing to purchase a solution to combat ransomware attacks, to being actively targeted, to actually paying a ransom. Regardless, the rate of companies affected by ransomware has remained consistently high since 2021.

The far-reaching impacts of ransomware, combined with the fact that we’re on track for the second costliest year for ransomware in history, means it’s time to take another look at the ransomware problem and think about tackling it from a new angle. By looking more closely at how ransomware attacks happen in the first place – through means that may not be on security teams’ radars yet – we can spot warning signs sooner and act on them to defend against attacks altogether.

Let’s start with one of the most common entry points for a ransomware attack: compromised credentials.

Criminals love authentication credentials because they are a reliable lever for gaining access to systems and information that allow them to perpetrate crimes. Threat actors often get their hands on credentials by using infostealer malware, which is typically deployed through malicious websites, botnets or phishing emails.

With one click, a user can become infected, allowing the malware to steal a wide variety of information stored on the user’s machine – from private data, such as credit card numbers, to usernames and passwords and even web session cookies that open doors to corporate resources.

And, when one door opens many others often do, too. SpyCloud research shows that 72% of users whose data was exposed in two or more breaches in 2022 reused their passwords across applications. That means that nearly three in four people were actively using a compromised password, making it pretty easy for threat actors to take one exposed credential pair and gain access to their information and files across multiple accounts, including work applications.

Here’s where it gets interesting. With access credentials gained via infostealer malware, threat actors can connect dots to then steal, encrypt and ransom sensitive or proprietary data across an enterprise system – launching a full-blown ransomware attack. For the first time, cutting-edge research confirms this is what (at least some) threat actors are doing. The presence of an infostealer infection is indeed an early warning signal of the potential for ransomware.

In a sample of North American and European companies that experienced a ransomware attack in 2023, nearly one in three were infected with infostealer malware in the months leading up to the attack (2023 SpyCloud Ransomware Defence Report).

As a risk signal, an infostealer malware presence should trigger companies’ ransomware radar and motivate a comprehensive malware remediation response.

We can’t say with certainty that a ransomware attack follows an infostealer malware infection every time. Only threat actors themselves know how they intend to use the information they steal. But, infostealer malware presence is a good starting point for better defence and prevention.

We can use this starting point to build out a broader picture to understand the role that infostealers play in a ransomware attack. This will improve awareness of potential threats and better inform security defence priorities and tactics.

So, how do we build upon the role of infostealer infections in a ransomware kill chain?

First, we broaden our perspective. We assess the circumstances that preceded the infection. Patching priorities that focus on exploitable vulnerabilities, for example, may make it more difficult for a threat actor to gain entry in the first place. Security awareness training that keeps up with modern attacker techniques could have a similar mitigating effect on the risk of infostealer malware.

We also consider the steps an attacker is likely to take after infection and the data to which they have access. Perhaps single sign-on credentials and additional application access are the actor’s targets. Or, perhaps malicious actors are after crypto wallets.

Collecting and evaluating signals around infostealer malware can shed light on a company’s status and circumstances and help to locate infostealer malware appropriately in a ransomware kill chain. These additional signals will add context and nuance to our understanding of infostealer malware and might even serve as additional early warning signals themselves.

Second, we act on what we know – and keep watching. We get to work monitoring for, and remediating, infostealer malware infections and take steps to limit the potential damage that could result from data exfiltration.

Then we continue to collect and evaluate data and signals as companies either fall victim to or evade ransomware attackers. Over time, these signals will reveal patterns that will further contextualize the infostealer-ransomware connection. They will allow researchers to leverage large-scale analytics and machine-learning algorithms to understand it, learn from it and use it to support defensive tactics.

In the fight against ransomware, the best defence is one built on data and aligned appropriately to the threats a company faces. An organization’s vulnerability to ransomware attacks will rely in part on its unique environment, characteristics and needs. Our research at SpyCloud indicates, however, that the connection between infostealer infections and ransomware attacks persists regardless of company shape or size.

If that is the case, a ransomware prevention plan can only be considered comprehensive if it includes monitoring for and remediating infostealer malware exposure.