SpyCloud recently released its 2023 Ransomware Defense Report, an annual analysis of how security leaders and practitioners view the threat of ransomware and their organizations’ cyber readiness.
Researchers conducted a detailed analysis using ransomware event data from ecrime.ch and SpyCloud's database of recaptured records from the criminal underground and found organizations infected with information-stealing malware, or infostealers, were more likely to suffer from a ransomware incident.
Infostealer infections preceded 22%of ransomware events for North American and European ransomware victim companies in 2023 — with common infostealers such as Raccoon, Vidar and Redline increasing the probability even further. The analysis showed that 76% of infections that preceded these ransomware events involved Raccoon infostealer malware.
Additionally, the report surveyed more than 300 individuals in active cybersecurity roles at U.S., U.K. and Canadian organizations with at least 500 employees and found that despite shifting priorities to better address ransomware, organizations are failing to address infostealer malware.
The report found that more than 98% of respondents agree better visibility and automated remediation of malware-exfiltrated data would improve their ability to fight against ransomware. Organizations have shifted their approach in the past year, moving away from user awareness and training and toward technology-driven countermeasures: automating the remediation of exposed passwords and session cookies, implementing multi-factor authentication (MFA) and leveraging passwordless authentication such as passkeys.
Respondents ranked the importance of MFA much higher than in previous years, although data backup remained organizations’ most important perceived countermeasure to ransomware. Additionally, organizations ranked phishing and social engineering (common malware deployment methods) as the riskiest entry points.
The report also revealed that 81% of surveyed organizations were affected at least once in the past 12 months. Affected organizations include enterprises that utilized any business resources to combat ransomware, whether through security solutions or ransom payments.
Based on these findings, detecting and addressing exposed authentication data should be the top priority for organizations looking to disrupt malicious actors, however only 19% of organizations said they were prioritizing improving visibility and remediation for malware-exfiltrated data.
While 79% of surveyed professionals are confident in their capabilities to prevent a ransomware attack in the next 12 months, the report found a misalignment between companies' cyber defense priorities and criminals' attack methods — which have shifted away from breached credentials to malware-stolen cookies that enable session hijacking:
- Respondents ranked monitoring for compromised web session cookies and tokens as the third least important ransomware countermeasure.
- Organizations rated stolen cookies as the least risky entry point.
- Automating workflows to remediate exposed passwords and cookies ranked as the bottom second and third authentication practices, respectively.