Research shows that infection with infostealer malware is often a precursor to ransomware attacks
SpyCloud, a leader in Cybercrime Analytics, today announced new cybersecurity research that highlights a growing and dire threat from cybercriminals – a type of malware designed to extract digital identity data, login credentials, and session cookies from infected devices. SpyCloud’s latest findings reveal the staggering level of identity exposure caused by infostealers, the influence this type of malware has had on the outbreak of ransomware, and the profound implications for businesses around the world.
A large level of proprietary exposure creates new risks
According to SpyCloud, 61% of all data breaches in the past year were related to malware, with infostealers responsible for 343.78 million data breaches. This stolen information is then sold to criminal communities for use in further attacks.
The study also found that one in five people have been a victim of an infostealer infection. Each infection, on average, exposes the business application credentials of 10-25 third parties, creating a fertile ground for further access and exploitation, especially by ransomware users.
“Our latest findings reveal a significant shift in the cybersecurity landscape,” said Damon Fleury, chief product officer at SpyCloud. “Infostealers have become a tool of entry for cybercriminals, with their ability to exfiltrate sensitive data in seconds, creating a path for cyber attacks such as ransomware for massive amounts of stolen access to SSO, VPN, management panels, and other sensitive data. requests.”
Infostealers: A precursor to ransomware attacks
The connection between infostealers and ransomware is becoming increasingly clear. Through an in-depth analysis of recaptured infostealer logs, SpyCloud discovered a worrying trend: companies with employees and contractors infected with infostealer malware are more likely to experience ransomware attacks. In fact, nearly one-third of companies hit by ransomware last year experienced an infostealer infection. According to the report, this is based on publicly known cases and confirmed cases of ransomware. The true exposure is likely to be even higher as not all ransomware incidents are made public.
“The correlation between infostealer infections and subsequent ransomware attacks is a wake-up call for businesses,” said Trevor Hilligoss, vice president of SpyCloud Labs, SpyCloud. “However, this industry is incredibly complex and fast-paced. This year, we are seeing new families of infostealers using expanded capabilities such as advanced encryption to remain stealthy or the ability to restore expired authentication cookies for continued access.”
The rise of Malware-as-a-Service and account takeover attacks
The infostealer threat is exacerbated by the rise of Malware-as-a-Service (MaaS). This off-the-shelf model allows even low-skilled hackers to purchase and deploy sophisticated malware, including infostealers, with ease. With MaS, these criminals can obtain new and accurate identity data in bulk, fueling the cycle of cybercrime.
SpyCloud’s findings also shed light on the emergence of account takeover attacks (ATO), which are powered by infostealers. Unlike traditional ATO, which relies on stolen authentication (a combination of username and password), next generation ATO uses stolen session cookies to bypass traditional authentication methods in what is known as session hijacking. By taking these pre-authenticated sessions, hackers can impersonate legitimate users and infiltrate networks undetected. This method greatly increases the success rate of the attack and poses a significant threat to the security of the organization.
“The sheer volume of data and time cookies that hackers are taking is staggering,” Hilligoss said. “In the past 90 days alone, SpyCloud has retrieved more than 5.4 billion cookie records – with an average of nearly 2,000 records exposed per infected device. This vast amount of data is increasingly being used by ransomware operators and early access buyers to facilitate their attacks, highlighting the need for advanced security strategies. “
Antivirus, MFA and traditional protections are no longer enough
At least 54% of devices infected by infostealers in the first quarter of 2024 are equipped with antivirus or endpoint detection and response (EDR), underscoring the limitations of traditional cyber security measures in combating the techniques used by modern criminals.
In addition, infostealers and session hijacking attacks make multi-factor authentication (MFA) and passwordless authentication methods such as passkeys ineffective. By hijacking already authenticated sessions, hackers can impersonate legitimate users and bypass even the strongest authentication methods.
The next generation internet security application
SpyCloud’s findings make it clear: malware mitigation is no longer enough and ignoring the problem increases the impact on businesses. Organizations must move beyond just removing infections and focus on addressing the long-term risks posed by exposed data. This includes resetting compromised app credentials and invalid session cookies taken by infostealers.
By understanding the risks posed by infostealers and working to minimize the data exposed, organizations are able to limit the likelihood of destructive attacks such as ransomware from this stolen data. SpyCloud remains committed to helping organizations address these challenges and protect their digital assets.
Readers can download the full 2024 Malware and Ransomware Defense Report.
To learn more about how SpyCloud helps organizations protect against ransomware, readers can visit
About the SpyCloud 2024 Malware and Ransomware Defense Report
In this fourth annual report, SpyCloud surveyed 510 people in active cybersecurity roles in US and UK organizations with at least 500 employees. The report examines the top concerns and real-life impacts of ransomware, including popular entry points, ransom payments, and the cumulative costs of these attacks on businesses. It also highlights key cyber threat prevention strategies and future security priorities identified by these experts.
About SpyCloud
SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions use advanced analytics to quickly prevent ransomware and account hijacking, protect employee and consumer accounts, and accelerate cyber crime investigations. SpyCloud data from breaches, malware-infected devices, and successful phishing attacks also powers popular dark web monitoring and identity theft protection offerings. Clients include more than half of the Fortune 10, as well as hundreds of global corporations, mid-sized companies, and government agencies around the world. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity professionals whose job it is to protect businesses and consumers from the stolen identities that criminals are now using to target them.
To learn more and see details about their company’s exposed data, readers can visit spycloud.com
Contact person
EVP, Public Relations
Katie Hanusik
REQ on behalf of SpyCloud
Source link