Ransomware attacks often leverage data stolen through prior infostealer infections, highlighting the importance of thorough remediation for all malware infections, researchers say.
Data from SpyCloud’s 2024 Malware and Ransomware Defense Report, a survey of more than 500 security professionals, showed nearly a third of ransomware attacks were preceded by an infostealer attack in the previous three months.
Infostealer malware can be leveraged to steal not only credentials, but also session cookies that can be hijacked to bypass multi-factor authentication (MFA) and take over accounts. And SpyCloud’s survey found that session hijacking enabled by stolen cookies was the third most common ransomware entry point, after phishing and third-party access.
Additional data from the IBM X-Force Threat Intelligence Index 2024, showing a 266% increase in infostealer use by ransomware groups between 2022 and 2023, demonstrates how these attacks are connected and how nipping infostealer attacks in the bud can help prevent future ransomware incidents.
“To fully combat ransomware and other critical threats, organizations must adopt a multi-layered strategy that includes post-infection remediation steps like resetting application credentials and invalidating session cookies siphoned by infostealer malware,” Damon Fleury, chief product officer at SpyCloud, said in a statement.
However, while SpyCloud’s survey found that organizations are more likely this year to reset passwords after a malware infection than they were last year – from 63.8% in 2023 to 76.5% in 2024 – they were slightly less likely to invalidate open app sessions (60.7% to 57.5%), suggesting that session hijacking and stolen cookies are overlooked risks when it comes to infostealer remediation.
A similar trend was seen in the rankings of most important ransomware countermeasures cited by survey respondents, with MFA jumping from eighth most important to second most important between the 2023 and 2024 surveys. While organizations seem to be recognizing the role of compromised credentials in ransomware threats, monitoring of compromised sessions is seen as a lower priority, ranking tenth on the list of ransomware countermeasures.
“To disrupt the evolving tactics of ransomware attacks before they escalate, step one is knowing the data criminals have already stolen. Step two is quickly remediating compromised credentials and terminating stolen web sessions – including SSO, VPN, and SaaS application access,” Fleury stated.
Despite less attention focused on monitoring stolen cookies compared with other credentials, security professionals are recognizing the threat of follow-up attacks to infostealer infections, with nearly all respondents (99.8%) saying they were concerned about this issue. Improving remediation after malware attacks was also the second most common future security plan for the next 12-18 months, cited by 45.1% of respondents.
Overall, SpyCloud recaptured more than 20 billion cookie records from infostealer attacks – an average of 2,000 records per infected device – last year and found that infostealers were responsible for the theft of 343.78 million credentials, exposing 10-25 third-party business application credentials per infection on average.
The two most common infostealers to infect victims in the three months prior to a ransomware attack were LummC2 (57.69%) and RedLine (40.60%) followed by StealC (20.51%), MetaStealer (19.66) and RisePro (17.52%). In many cases, more than one infostealer was installed during the same time period.
SpyCloud recommends organizations implement processes to invalidate stolen web sessions in the case of a malware attack, leverage automation to respond more quickly to malware threats, use continuous zero trust solutions to block unauthorized access to applications and adopt an identity-centric, rather than a device-centric, approach to security.
