Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024, with groups targeting sectors like Construction and Healthcare, often exploiting weak VPN credentials.
History doesn’t repeat itself, but it rhymes. Infostealers, a form of malware that’s nearly as old as the internet itself, have recently emerged — or rather re-emerged — as a risk to enterprises. As a recent report from security firm Recorded Future put it, “infostealers dominated the malware landscape” in the first half of 2024, while a writer for Darkreading notes that almost a third of ransomware events were preceded by infostealer infiltrations.
So what do cyber insurance brokers and their clients need to know about this form of malware? First, let's look at the basics.
An infostealer is a type of malicious software designed with the primary goal of extracting valuable information from compromised systems. They can discreetly infiltrate computers, operating in the background without arousing suspicion, with the primary goal of extracting valuable information from compromised systems. They can target a range of data, including login credentials, financial information, personal identities and intellectual property. The harvested information is collected by attackers and often sold to other threat actors who will use the data to conduct additional attacks.
There’s no one way that an infostealer works — which is one of the reasons they are difficult to uncover and defend against. (A recent story showed how even a top cyber security training company can be a victim, with a near-miss involving a threat actor’s efforts to install an infostealer on their systems.) Once an infostealer gains initial access to a device or system, often via an attachment to a phishing email or corrupt link, the malware can go about its business in several ways:
Armed with usernames, passwords, or authentication cookies harvested from an infostealer’s efforts, threat actors can bypass traditional security measures such as multi-factor authentication (MFA) and gain unauthorized access to critical systems.
The risk is particularly concerning when these stolen credentials are used to access cloud environments or corporate VPNs. Once inside, attackers can move laterally across the network, exfiltrating data, launching ransomware attacks, or carrying out espionage. The stolen data may also be sold on dark web marketplaces, further fueling the cybercriminal ecosystem.
It’s important to note that properly implemented MFA systems — especially those with additional layers of security like time-sensitive codes or biometric factors — still provide a strong defense, even against an attacker with a bevy of sensitive data. Weaker MFA implementations, like those that rely on session tokens or SMS, are most likely to be exploited.
A contributing factor in the recent emergence of infostealers is the now frequent, casual use of personal devices for professional purposes. In today’s hybrid work environments, it is not uncommon for employees to access their work emails or other corporate resources from their home computers or smartphones, opening a door to cybercriminals who target these less-protected devices.
A common scenario involves users unknowingly installing pirated software laced with infostealers on their personal devices, the kind of suspicious software would have been easily flagged or rejected by corporate network security. They can also come from malicious websites, phishing emails, drive-by downloads, or infected attachments. In some cases, family members, such as children, install risky programs, exposing the entire system to infostealers. This then becomes an enterprise-level issue when company assets are accessed via that personal device. What starts as a personal security risk quickly evolves into a corporate cybersecurity threat when these credentials are used to breach company networks.
Because infostealers offer threat actors flexibility in the techniques deployed and the type of attacks that can ensue, to effectively defend against them businesses need to take a proactive and comprehensive approach to cybersecurity. Here are the key steps to strengthen defenses:
Extra vigilance is required in a world where, thanks to infostealers, many threat actors have enough data at their disposal to successfully unlock critical systems, even ones that are protected with what were once gold-standard security measures. But the silver lining, if only a slight one, is that infostealer activity can be detected, as we saw in the case mentioned earlier of the security awareness company that had a near-miss. Any detected infostealer activity should be taken as a signal to immediately remediate by resetting credentials; quick action can potentially prevent an incursion from even getting to the point of a ransom being demanded. Following the steps above to prevent a successful infostealer attack, and rapid response in the event of a detected incursion, should be priorities for any organization concerned with preventing ransomware today.
This post is intended for general guidance and informational purposes only. This post is under no circumstances intended to be used or considered as specific insurance or information security advice. This post is not to be considered an objective or independent explanation of the matters contained herein. The use of any services and the implementation of any product or practices referenced in this post is at the customer’s sole discretion. Corvus. disclaims all warranties, express or implied.