The ransomware warning sign we should all have on our radar

Cybersecurity and global communication, secure data network technology, cyberattack protection for worldwide connections, finance, IoT, ransomware and cryptocurrencies

Be alert for ransomware. Image: Getty Images/iStockphoto

Wallis Romzek
Principal Data Scientist, SpyCloud
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:

Tech and Innovation

This article is part of: Annual Meeting on Cybersecurity
  • In 2023, over 80% of companies were affected by ransomware in the preceding 12 months.
  • By looking more closely at how ransomware attacks happen, we can spot warning signs sooner and act on them to prevent future attacks.
  • In the fight against ransomware, the best defence is one built on data and aligned properly to the threats a company faces.

The cybersecurity community talks a lot about ransomware attacks: who the latest ransomware gangs are, common attack vectors, how much companies are shelling out in ransom payments and what the proper incident response protocols are for security teams.

That all matters, of course. By and large though, security teams are already aware of the threat ransomware poses due to firsthand experience. In 2023, 81% of companies were affected by ransomware in the preceding 12 months. Reported effects vary widely, from needing to purchase a solution to combat ransomware attacks, to being actively targeted, to actually paying a ransom. Regardless, the rate of companies affected by ransomware has remained consistently high since 2021.

The far-reaching impacts of ransomware, combined with the fact that we’re on track for the second costliest year for ransomware in history, means it’s time to take another look at the ransomware problem and think about tackling it from a new angle. By looking more closely at how ransomware attacks happen in the first place – through means that may not be on security teams’ radars yet – we can spot warning signs sooner and act on them to defend against attacks altogether.

Have you read?

How ransomware usually starts

Let’s start with one of the most common entry points for a ransomware attack: compromised credentials.

Criminals love authentication credentials because they are a reliable lever for gaining access to systems and information that allow them to perpetrate crimes. Threat actors often get their hands on credentials by using infostealer malware, which is typically deployed through malicious websites, botnets or phishing emails.

With one click, a user can become infected, allowing the malware to steal a wide variety of information stored on the user’s machine – from private data, such as credit card numbers, to usernames and passwords and even web session cookies that open doors to corporate resources.

And, when one door opens many others often do, too. SpyCloud research shows that 72% of users whose data was exposed in two or more breaches in 2022 reused their passwords across applications. That means that nearly three in four people were actively using a compromised password, making it pretty easy for threat actors to take one exposed credential pair and gain access to their information and files across multiple accounts, including work applications.


How is the Forum tackling global cybersecurity challenges?

What new research says about the infostealer malware

Here’s where it gets interesting. With access credentials gained via infostealer malware, threat actors can connect dots to then steal, encrypt and ransom sensitive or proprietary data across an enterprise system – launching a full-blown ransomware attack. For the first time, cutting-edge research confirms this is what (at least some) threat actors are doing. The presence of an infostealer infection is indeed an early warning signal of the potential for ransomware.

Image: SpyCloud

In a sample of North American and European companies that experienced a ransomware attack in 2023, nearly one in three were infected with infostealer malware in the months leading up to the attack (2023 SpyCloud Ransomware Defence Report).

What does this mean for security teams?

As a risk signal, an infostealer malware presence should trigger companies’ ransomware radar and motivate a comprehensive malware remediation response.

We can’t say with certainty that a ransomware attack follows an infostealer malware infection every time. Only threat actors themselves know how they intend to use the information they steal. But, infostealer malware presence is a good starting point for better defence and prevention.

We can use this starting point to build out a broader picture to understand the role that infostealers play in a ransomware attack. This will improve awareness of potential threats and better inform security defence priorities and tactics.

So, how do we build upon the role of infostealer infections in a ransomware kill chain?

First, we broaden our perspective. We assess the circumstances that preceded the infection. Patching priorities that focus on exploitable vulnerabilities, for example, may make it more difficult for a threat actor to gain entry in the first place. Security awareness training that keeps up with modern attacker techniques could have a similar mitigating effect on the risk of infostealer malware.

We also consider the steps an attacker is likely to take after infection and the data to which they have access. Perhaps single sign-on credentials and additional application access are the actor’s targets. Or, perhaps malicious actors are after crypto wallets.

Collecting and evaluating signals around infostealer malware can shed light on a company’s status and circumstances and help to locate infostealer malware appropriately in a ransomware kill chain. These additional signals will add context and nuance to our understanding of infostealer malware and might even serve as additional early warning signals themselves.

Second, we act on what we know – and keep watching. We get to work monitoring for, and remediating, infostealer malware infections and take steps to limit the potential damage that could result from data exfiltration.

Then we continue to collect and evaluate data and signals as companies either fall victim to or evade ransomware attackers. Over time, these signals will reveal patterns that will further contextualize the infostealer-ransomware connection. They will allow researchers to leverage large-scale analytics and machine-learning algorithms to understand it, learn from it and use it to support defensive tactics.

In the fight against ransomware, the best defence is one built on data and aligned appropriately to the threats a company faces. An organization’s vulnerability to ransomware attacks will rely in part on its unique environment, characteristics and needs. Our research at SpyCloud indicates, however, that the connection between infostealer infections and ransomware attacks persists regardless of company shape or size.

If that is the case, a ransomware prevention plan can only be considered comprehensive if it includes monitoring for and remediating infostealer malware exposure.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

Quantum computing could threaten cybersecurity measures. Here’s why – and how tech firms are responding

Simon Torkington

April 23, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum