SpyCloud researchers conducted a detailed analysis using ransomware event data from ecrime.ch and its own database of recaptured records from the criminal underground and found organizations infected with information-stealing malware, or infostealers, were more likely to suffer from a ransomware incident.

Infostealer infections preceded over one-fifth (22%) of ransomware events for North American and European ransomware victim companies in 2023 – with common infostealers such as Raccoon, Vidar, and Redline increasing the probability even further. SpyCloud’s analysis shows that 76% of infections that preceded these ransomware events involved Raccoon infostealer malware.

Additionally, SpyCloud surveyed over 300 individuals in active cybersecurity roles at US, UK, and Canadian organizations with at least 500 employees and found that despite shifting priorities to better address ransomware, organizations are failing to address infostealer malware – a common precursor to ransomware attacks.

Organizations Know the Threat and Are Adapting

SpyCloud found that over 98% of respondents agree better visibility and automated remediation of malware-exfiltrated data would improve their ability to fight against ransomware. Organizations have shifted their approach in the past year, moving away from user awareness and training and toward technology-driven countermeasures: automating the remediation of exposed passwords and session cookies, implementing multi-factor authentication (MFA), and leveraging passwordless authentication such as passkeys.

Respondents ranked the importance of MFA much higher than in previous years, although data backup remained organizations’ most important perceived countermeasure to ransomware. Additionally, organizations ranked phishing and social engineering (common malware deployment methods) as the riskiest entry points.

Current Defense Efforts Are Not Working

SpyCloud found that 81% of surveyed organizations were affected at least once in the past 12 months. Affected organizations include enterprises that utilized any business resources to combat ransomware, whether through security solutions or ransom payments.

“Despite organizations’ understanding of malware, security teams still lack visibility into the authentication data exposed by infections – and as such fail to consistently remediate stolen credentials and cookies as a means of preventing the account takeover and session hijacking attacks that lead to ransomware,” said Hilligoss. “While MFA, automation, and passwordless technologies are important precautions, none of them are infallible.”

Misaligned Priorities

Based on SpyCloud’s findings, detecting and addressing exposed authentication data should be the top priority for organizations looking to disrupt malicious actors. Yet only 19% of organizations said they were prioritizing improving visibility and remediation for malware-exfiltrated data.

While 79% of surveyed professionals are confident in their capabilities to prevent a ransomware attack in the next 12 months, SpyCloud found a misalignment between companies’ cyber defense priorities and criminals’ attack methods – which have shifted away from breached credentials to malware-stolen cookies that enable session hijacking:

• Respondents ranked monitoring for compromised web session cookies and tokens as the third least important ransomware countermeasure.
• Organizations rated stolen cookies as the least risky entry point.
• Automating workflows to remediate exposed passwords and cookies ranked as the bottom second and third authentication practices, respectively.

By embracing next-generation malware response practices such as Post-Infection Remediation, SecOps teams can significantly improve their ransomware prevention outcomes and move faster to close the door on attackers while minimizing the cross-team resources that full-blown incidents consume.

The 2023 Ransomware Defense Report is available for download here: https://spycloud.com/resource/2023-ransomware-defense-report/ 

To learn more about how SpyCloud helps organizations defend against ransomware, visit https://spycloud.com/use-case/ransomware-prevention/.