Ransomware is the leading cybersecurity threat across every industry and a top priority for every Security Operations Center (SOC) team according to the SpyCloud 2024 Malware and Ransomware Defense Report. When focusing on mitigating ransomware risk, it’s important not to overlook the growing threat of infostealer malware (“infostealers”) – an often quiet precursor to ransomware attacks.
Our research has revealed that one-third of companies who fall victim to ransomware have experienced at least one infostealer infection within 16 weeks before the attack – a crucial warning sign.
What is Infostealer Malware?
Threat actors use infostealer malware to infiltrate devices and steal any and all information that can be of value – login credentials, session cookies, personally identifiable information (PII), authentication data, and much more. Bad actors can then sell or trade the most critical access to specialized brokers, or use it themselves, to gain unauthorized access to systems and networks to facilitate follow-on attacks, including ransomware.
The Infostealer Challenge
Unfortunately, infostealers can be challenging to identify and often leave little evidence – going unnoticed for days or weeks before the initial infection and stolen information has been detected. Even after an infection is detected and remediation has begun, stolen information may be difficult or impossible to fully invalidate; resulting in an elevated risk for months or even years.
Despite the growing concern about infostealers and high-profile incidents (like the previous Medibank breach), organizations still have significant gaps in their ability to address malware exposures. Typical machine-centric malware response processes emphasize a three-step approach of 1) detection and analysis, 2) containment, and 3) eradication and recovery. However, a “brute force” reset and wipe doesn’t solve the larger issue of stolen data, and thus access, in the wrong hands.
Addressing the Infostealer Threat
To combat the risks associated from data siphoned from malware-infected devices, a more identity-centric approach is required to prevent cybercriminals from gaining credentials to successfully carry out attacks and profit from stolen data. Here are three things SOC leaders can do to gain the upper hand:
- Act on Compromised Data
As every SOC team member knows, remediating a malware infection can feel a bit like playing darts in a heavy fog. Having better visibility of malware-exfiltrated data (such as exposed credentials and session cookies and other tokens) can simplify the process of remediation and significantly improve an organization’s resistance to ransomware attacks.
The approach – known as Post-Infection Remediation (PIR) – works like this. Once an infected device is identified, security teams must respond swiftly. The first step is to clear the infected device. However, as soon as the immediate risk of an ongoing infection event is mitigated, teams must begin the work of identifying what identity data may have been exposed. In many cases, this involves going to where the criminal communities are trading data: the dark web, criminal forums, and messaging platforms.
With access to the data criminals have in hand from the dark web, organizations have better visibility into the overall exposure and cyber risk to their business. Knowing what data is in the hands of criminal actors, the SOC can remediate all compromised credentials and systems impacted by an attack by resetting application credentials and invalidating session cookies exfiltrated by malware. If all exposed data is reset, a follow-on ransomware attack has a low probability of occurring.
- Mitigate the Risk from Third-Party Exposure
Threat actors leverage a range of strategies to gain the upper hand in the ransomware landscape. Still, nothing presents as ample an opportunity as malware-infected third-party and unmanaged devices used to access corporate applications.
Whether these devices belong to employees or third parties, a single device infected with infostealer malware can open the doors for threat actors to move laterally beyond the initial endpoint, gaining access to potentially hundreds of applications and stealing thousands of third-party credentials. This can quickly escalate to a ransomware attack, especially if persistent access credentials like API keys, long-lived authentication cookies, or administrative credentials are compromised.
Security researchers found that as many as 90% of security compromises originate from unmanaged devices, and third-party access is only second to phishing as a common entry point for ransomware. Many exposures result from enterprise data siphoned out of a managed network as a result of ease-of-access systems that sync credentials and other information between connected devices.
Outside of traditional IT control and without visibility into these exposures, it’s difficult for an organization to fully understand its risk and properly defend itself.
To negate the opportunities for third-party exposure, security teams need to work proactively to illuminate the full attack surface. This includes continuously monitoring for exposed identities on the dark web so they can identify compromised accounts before they are exploited. By improving visibility into malware-exfiltrated data, they can quickly discover exposed applications and execute a rapid response, such as remediating credentials associated with third-party applications like Single Sign-On (SSO), code repositories, payroll systems, VPNs, or remote access portals.
Educating employees about the risks associated with using personal devices for work can also help reduce the likelihood of infections occurring.
- Use Automation to Speed Up Detection and Mitigation
We know cybercriminals leverage automation, but as they get faster, so can we. By leveraging automated remediation from alerts and incident notifications for new breaches and malware infections, SOC teams can more quickly operationalize data and feed it into automated remediation workflows to negate its impact.
Enterprises should consider the following strategies:
- Set up automated alerts for when the organization’s credentials appear in data leaks and integrate findings with a SIEM for proactive monitoring, ticket generation, and resets.
- Create automated workflows to notify users when their credentials are compromised and guide them through remediation actions.
- Schedule automated scans of the dark web to compare user credentials against compromised accounts.
- Develop automated playbooks for incident response, including a more robust post-infection remediation that outlines the comprehensive steps needed to take when credentials are found.
- Set up a centralized dashboard to track metrics related to compromised credentials so SOC teams can quickly assess the situation and respond effectively.
The Identity-Centric Approach
As ransomware attacks evolve and cybercriminals increasingly rely on next-generation tactics, organizations must shift to next-generation defense.
Traditional methods of dealing with malware are not enough to stop cybercriminals from using exfiltrated data, leaving organizations vulnerable to prolonged risks. To effectively disrupt ransomware attacks, security teams and fraud prevention counterparts must adopt an identity-centric approach. By doing so, they can better mitigate the impact of ransomware and protect valuable data from falling into the wrong hands.
About the Author
Trevor Hilligoss is the Senior Vice President of SpyCloud Labs, SpyCloud’s in-house security research team. He served nine years in the U.S. Army and has an extensive background in federal law enforcement, tracking threat actors for both the DoD and FBI. He serves in an advisory capacity for multiple cybersecurity-focused non-profits. He has spoken at numerous US and international cyber conferences, holds multiple federal and industry certifications in the field of cybersecurity, and is a recipient of the President’s Volunteer Service Award for volunteer service aimed at countering cyber threats.
Trevor can be reached online at [email protected].
