SpyCloud, the leader in Cybercrime Analytics, announced new cybersecurity research highlighting the growing and alarming threat of infostealers – a type of malware designed to exfiltrate digital identity data, login credentials, and session cookies from infected devices. SpyCloud’s latest findings reveal the staggering scale of identity exposure caused by infostealers, the influence this type of malware has had on the surge in ransomware incidents, and the profound implications for businesses worldwide.
CyberTech News: Integrity Risk Int’l Launches Global Security Solutions
Massive scale of identity exposure creates new risks
According to SpyCloud, 61% of all data breaches in the past year were malware-related, with infostealers responsible for the theft of 343.78 million credentials. These stolen credentials are then sold in criminal communities for use in further attacks.
The research also found that one in five individuals has been a victim of an infostealer infection. Each infection, on average, exposes 10-25 third-party business application credentials, creating fertile ground for further access and exploitation, particularly by ransomware operators.
“Our latest findings reveal a critical shift in the cybersecurity landscape,” said Damon Fleury, chief product officer at SpyCloud. “Infostealers have become the go-to tool for cybercriminals, with their ability to exfiltrate valuable data in a matter of seconds, creating a runway for cyberattacks like ransomware off the vast amounts of stolen access to SSO, VPN, admin panels, and other critical applications.”
Infostealers: The precursor to ransomware attacks
The link between infostealers and ransomware is becoming increasingly evident. Through deep analysis of recaptured infostealer logs, SpyCloud discovered a worrying trend: companies with employees and contractors who are infected with infostealer malware are significantly more likely to experience a ransomware attack. In fact, nearly one-third of companies that suffered a ransomware attack last year had previously experienced an infostealer infection. According to the report, this is based on publicly known incidents and confirmed ransomware events. The true exposure is potentially even higher as not all ransomware incidents are made publicly available.
“The correlation between infostealer infections and subsequent ransomware attacks is a wake-up call for businesses,” said Trevor Hilligoss, vice president of SpyCloud Labs, SpyCloud. “However, this field is incredibly complex and fast-moving. This year, we’re seeing new infostealers families that make use of expanded capabilities such as advanced encryption to stay stealthy or the ability to restore expired authentication cookies for more persistent access.”
CyberTech News: B-FY’s Biometric Solution: A Gamechanger in Cybercrime Fight
The rise of Malware-as-a-Service and account takeover attacks
The infostealer threat is further exacerbated by the rise of Malware-as-a-Service (MaaS). This off-the-shelf model allows even low-skilled cybercriminals to purchase and deploy sophisticated malware, including infostealers, with ease. Through MaaS, these criminals can acquire fresh and accurate identity data in bulk, fueling the cycle of cybercrime.
SpyCloud’s findings also shed light on the evolution of account takeover (ATO) attacks, powered by infostealers. Unlike traditional ATO, which relies on stolen credentials (username and password combinations), next-generation ATO leverages stolen session cookies to sidestep traditional authentication methods in what is known as session hijacking. By taking over these already-authenticated sessions, cybercriminals can mimic legitimate users and infiltrate networks undetected. This method significantly increases the success rate of attacks and poses a severe threat to organizational security.
“The sheer volume of credentials and session cookies being siphoned by infostealers is staggering,” said Hilligoss. “In the last 90 days alone, SpyCloud has recaptured over 5.4 billion stolen cookie records – with an average of nearly 2,000 exposed records per infected device. This vast trove of data is increasingly used by ransomware operators and initial access brokers to facilitate their attacks, highlighting the need for advanced defense strategies.”
Antivirus, MFA and traditional defenses are no longer enough
At least 54% of devices infected with infostealers in the first half of 2024 had antivirus or endpoint detection and response (EDR) solutions installed, underscoring the limitations of traditional cybersecurity measures in combating the techniques used by modern cybercriminals.
Furthermore, infostealers and session hijacking attacks render multi-factor authentication (MFA) and passwordless authentication methods like passkeys ineffective. By hijacking already-authenticated sessions, cybercriminals can impersonate legitimate users and side-step even the most robust authentication methods.
The call for next-generation cybersecurity
The findings from SpyCloud make it clear: traditional malware mitigation is no longer sufficient and ignoring the problem only exacerbates the impact on businesses. Organizations must move beyond merely removing infections and focus on remediating the long-term risks posed by exposed data. This includes resetting compromised application credentials and invalidating session cookies siphoned by infostealers.
By understanding the risks posed by infostealers and working to mitigate the data that has been exfiltrated, organizations are able to limit the likelihood of devastating cyberattacks such as ransomware that stem from this stolen data. SpyCloud remains committed to helping organizations navigate these challenges and safeguard their digital assets.
To share your insights, please write to us at news@intentamplify.com
