Preventing ransomware by fully remediating infostealer attacks

  • Reading time:3 mins read
  • Post category:AntivirusDon
  • Post comments:0 Comments
You are currently viewing Preventing ransomware by fully remediating infostealer attacks
Representation image: This image is an artistic interpretation related to the article theme.

Ransomware attacks often leverage data stolen through prior infostealer infections, highlighting the importance of thorough remediation for all malware infections, researchers say. Data from SpyCloud’s 2024 Malware and Ransomware Defense Report, a survey of more than 500 security professionals, showed nearly a third of ransomware attacks were preceded by an infostealer attack in the previous three months. Infostealer malware can be leveraged to steal not only credentials, but also session cookies that can be hijacked to bypass multi-factor authentication (MFA) and take over accounts. And SpyCloud’s survey found that session hijacking enabled by stolen cookies was the third most common ransomware entry point, after phishing and third-party access.

The IBM X-Force Threat Intelligence Index 2024 also highlights the growing threat of ransomware-as-a-service (RaaS) and the rise of ransomware gangs. RaaS is a business model where attackers can rent out ransomware tools and infrastructure to other malicious actors. This model has made ransomware attacks more accessible and cost-effective, leading to a surge in both the number of attacks and the sophistication of attacks.

A similar trend was seen in the rankings of most important ransomware countermeasures cited by survey respondents, with MFA jumping from eighth most important to second most important between the 2023 and 2024 surveys. While organizations seem to be recognizing the role of compromised credentials in ransomware threats, monitoring of compromised sessions is seen as a lower priority, ranking tenth on the list of ransomware countermeasures. “To disrupt the evolving tactics of ransomware attacks before they escalate, step one is knowing the data criminals have already stolen. Step two is quickly remediating compromised credentials and terminating stolen web sessions – including SSO, VPN, and SaaS application access,” Fleury stated.

* **Follow-up attacks:** Security professionals are increasingly recognizing the threat of follow-up attacks to infostealer infections. * **Concern:** Nearly all respondents (99.8%) are concerned about this issue. * **Impact:** These attacks can lead to significant financial losses and data breaches. * **Examples:** Phishing attacks, malware distribution, and ransomware attacks.

The two most common infostealers to infect victims in the three months prior to a ransomware attack were LummC2 (57.69%) and RedLine (40.60%) followed by StealC (20.51%), MetaStealer (19.66) and RisePro (17.52%). In many cases, more than one infostealer was installed during the same time period. SpyCloud recommends organizations implement processes to invalidate stolen web sessions in the case of a malware attack, leverage automation to respond more quickly to malware threats, use continuous zero trust solutions to block unauthorized access to applications and adopt an identity-centric, rather than a device-centric, approach to security.

Leave a Reply