Ransomware, Decentralized identity and verifiable credentials, Incident Response

SpyCloud Warns SecOps Teams to Guard Against Infostealer Malware

Infostealer malware is outmaneuvering cyber defense practices and its appearance can provide clues to an impending ransomware attack, a new study found.

Cyber defender SpyCloud discovered a "critical gap" in remediating malware in its newly released Ransomware Defense Report 2023 based on input of some 300 cybersecurity practitioners and leaders.

“The rapidly growing threat of infostealer malware is critical to the discussion about ransomware defense because… research now shows that the presence of certain infostealers can be the precursor to a ransomware attack,” SpyCloud said in a blog post.

Infostealers Infections Trigger Ransomware Events

Indeed, of 1,831 North American and European companies known to have experienced a ransomware event in 2023, more than a fifth (22%) had at least one infostealer infection prior to being attacked, SpyCloud said.

Other top line highlights in the report include: (per SpyCloud)

  • 81% of surveyed organizations were affected in some way by ransomware at least once in the past 12 months, showing that ransomware continues to be a top threat for the majority of organizations.
  • 98% of those surveyed said that better visibility of malware-exfiltrated data and automated remediation workflows would improve their ability to combat ransomware and improve security posture. However, those beliefs were not reflected in their prevailing security practices and planned improvements.
  • 60% of organizations identified ransomware prevention as their top priority in the next 12 months, underscoring the importance of taking complete post-infection remediation steps to negate the impact of infostealer-siphoned data.

Additional findings follow:

  • Fewer than 12% of surveyed organizations hit by ransomware described their cumulative costs over 12 months as negligible, and 39% spent more than $1 million. These numbers likely don’t account for the harder-to-measure costs such as reputational damage, the impact on operations, and the drain on resources.
  • Ransomware remains a huge problem regardless of the size of the organization, irrespective of the thought that larger organizations are in a better defensive position because of bigger budgets and more resources.
  • Although organizations with fewer than 1,000 employees weathered the worst impact (with 90% affected), large enterprises with 10,000 or more employees were impacted at the same scale as mid-sized ones (with at least 70% affected).
  • Nearly 80% of survey respondents felt confident in their ability to prevent a full-scale ransomware attack, including 91% of executives. On the other hand, SecOps practitioners were much less confident than executives at 71%.
  • However, SpyCloud cautioned that given the high numbers of organizations struck by ransomware and the gaps in their defenses, this confidence may be misplaced.
  • Cyber criminals are innovating fast and even countermeasures that are adequate today will not keep up with the pace of that innovation as SecOps teams are relying largely on traditional countermeasures like data backup and endpoint protection for prevention.
  • Cybercriminals have shifted to using malware-exfiltrated data like stolen session cookies to hijack sessions and seamlessly impersonate employees, bypassing authentication layers from multi-factor authentication to passkeys.
  • Incident response in this evolved environment needs to move beyond conventional device-centric methodology to identity-centric malware remediation in order to prevent follow-on ransomware attacks stemming from the use of data stolen from infected devices.
  • SecOps teams are shifting their focus from user awareness and training to technology-driven countermeasures.

Final Thoughts From SpyCloud

In conclusion:

  • SecOps teams must embrace the paradigm shift of post infection remediation, moving from machine-centric response to an identity-centric one.
  • This next-gen approach goes beyond clearing an infected device, taking additional steps such as resetting stolen credentials and invalidating exposed applications’ active web sessions.
  • These extra malware remediation steps are necessary for protecting an organization from a ransomware attack but they’re missing in most incident response playbooks.
  • Until SecOps teams update their playbooks with next-gen tactics, cybercriminals will remain several paces ahead.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.