Current ransomware defensive efforts are not working

Despite some positive developments, the impact of ransomware attacks remains high, according to SpyCloud.

Infostealer infections preceded 22% of ransomware events for North American and European ransomware victim companies in 2023 – with common infostealers such as Raccoon, Vidar, and Redline increasing the probability even further. SpyCloud’s analysis shows that 76% of infections that preceded these ransomware events involved Raccoon infostealer malware.

Ransomware is a malware problem at its core

Despite shifting priorities to better address ransomware, organizations are failing to address infostealer malware – a common precursor to ransomware attacks.

“Ransomware is a malware problem at its core, and there’s a clear pattern emerging that shows infostealer malware is directly leading to ransomware attacks,” said Trevor Hilligoss, Senior Director of Security Research at SpyCloud. “Organizations that fail to address malware-stolen authentication data risk more than just ransom costs, as harm to brand reputation, disruption to business operations, and resource drain can be equally or more detrimental than the ransom itself.”

SpyCloud found that over 98% of respondents agree better visibility and automated remediation of malware-exfiltrated data would improve their ability to fight against ransomware.

MFA importance soars in recent years

Organizations have shifted their approach in the past year, moving away from user awareness and training and toward technology-driven countermeasures: automating the remediation of exposed passwords and session cookies, implementing MFA, and leveraging passwordless authentication such as passkeys.

Respondents ranked the importance of MFA much higher than in previous years, although data backup remained organizations’ most important perceived countermeasure to ransomware. Additionally, organizations ranked phishing and social engineering (common malware deployment methods) as the riskiest entry points.

SpyCloud found that 81% of surveyed organizations were affected at least once in the past 12 months. Affected organizations include enterprises that utilized any business resources to combat ransomware, whether through security solutions or ransom payments.

“Despite organizations’ understanding of malware, security teams still lack visibility into the authentication data exposed by infections – and as such fail to consistently remediate stolen credentials and cookies as a means of preventing the account takeover and session hijacking attacks that lead to ransomware,” said Hilligoss. “While MFA, automation, and passwordless technologies are important precautions, none of them are infallible.”

Cyber defense misalignment

Based on SpyCloud’s findings, detecting and addressing exposed authentication data should be the top priority for organizations looking to disrupt malicious actors. Yet only 19% of organizations said they were prioritizing improving visibility and remediation for malware-exfiltrated data.

While 79% of surveyed professionals are confident in their capabilities to prevent a ransomware attack in the next 12 months, SpyCloud found a misalignment between companies’ cyber defense priorities and criminals’ attack methods – which have shifted away from breached credentials to malware-stolen cookies that enable session hijacking:

• Respondents ranked monitoring for compromised web session cookies and tokens as the third least important ransomware countermeasure.
• Organizations rated stolen cookies as the least risky entry point.
• Automating workflows to remediate exposed passwords and cookies ranked as the bottom second and third authentication practices, respectively.