Close this search box.

SpyCloud Report: Infostealer Malware is a Precursor to Ransomware Attacks


79% of organizations are confident in their ransomware defenses, but only 19% are addressing the malware threat

Austin, TX – September 20, 2023 (Business Wire) – SpyCloud, the leader in Cybercrime Analytics, today released its 2023 Ransomware Defense Report, an annual analysis of how security leaders and practitioners view the threat of ransomware and their organizations’ cyber readiness.

SpyCloud researchers conducted a detailed analysis using ransomware event data from and its own database of recaptured records from the criminal underground and found organizations infected with information-stealing malware, or infostealers, were more likely to suffer from a ransomware incident.

Infostealer infections preceded nearly one-third (30%) of ransomware events for North American and European ransomware victim companies in 2023 – with common infostealers such as Raccoon, Vidar, and Redline increasing the probability even further. SpyCloud’s analysis shows that 76% of infections that preceded these ransomware events involved Raccoon infostealer malware.

Additionally, SpyCloud surveyed over 300 individuals in active cybersecurity roles at US, UK, and Canadian organizations with at least 500 employees and found that despite shifting priorities to better address ransomware, organizations are failing to address infostealer malware – a common precursor to ransomware attacks.

“Ransomware is a malware problem at its core, and there’s a clear pattern emerging that shows infostealer malware is directly leading to ransomware attacks. Organizations that fail to address malware-stolen authentication data risk more than just ransom costs, as harm to brand reputation, disruption to business operations, and resource drain can be equally or more detrimental than the ransom itself.

Trevor Hilligoss, Senior Director of Security Research at SpyCloud

Organizations Know the Threat and Are Adapting

SpyCloud found that over 98% of respondents agree better visibility and automated remediation of malware-exfiltrated data would improve their ability to fight against ransomware. Organizations have shifted their approach in the past year, moving away from user awareness and training and toward technology-driven countermeasures: automating the remediation of exposed passwords and session cookies, implementing multi-factor authentication (MFA), and leveraging passwordless authentication such as passkeys.

Respondents ranked the importance of MFA much higher than in previous years, although data backup remained organizations’ most important perceived countermeasure to ransomware. Additionally, organizations ranked phishing and social engineering (common malware deployment methods) as the riskiest entry points.

Current Defense Efforts Are Not Working

SpyCloud found that 81% of surveyed organizations were affected at least once in the past 12 months. Affected organizations include enterprises that utilized any business resources to combat ransomware, whether through security solutions or ransom payments.

“Despite organizations’ understanding of malware, security teams still lack visibility into the authentication data exposed by infections – and as such fail to consistently remediate stolen credentials and cookies as a means of preventing the account takeover and session hijacking attacks that lead to ransomware,” said Hilligoss. “While MFA, automation, and passwordless technologies are important precautions, none of them are infallible.”

Misaligned Priorities

Based on SpyCloud’s findings, detecting and addressing exposed authentication data should be the top priority for organizations looking to disrupt malicious actors. Yet only 19% of organizations said they were prioritizing improving visibility and remediation for malware-exfiltrated data.

While 79% of surveyed professionals are confident in their capabilities to prevent a ransomware attack in the next 12 months, SpyCloud found a misalignment between companies’ cyber defense priorities and criminals’ attack methods – which have shifted away from breached credentials to malware-stolen cookies that enable session hijacking:

By embracing next-generation malware response practices such as Post-Infection Remediation, SecOps teams can significantly improve their ransomware prevention outcomes and move faster to close the door on attackers while minimizing the cross-team resources that full-blown incidents consume.

The 2023 Ransomware Defense Report is available for download here.

To learn more about how SpyCloud helps organizations defend against ransomware, visit

About SpyCloud
SpyCloud transforms recaptured darknet data to protect businesses from identity-based cyberattacks. Its products deliver actionable insights that allow enterprises to proactively prevent ransomware and account takeover, protect their business from consumer fraud losses, and investigate cybercrime incidents. Its unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings. SpyCloud customers include half of the ten largest global enterprises, mid-size companies, and government agencies, and its solutions protect over four billion accounts globally. Headquartered in Austin, TX, SpyCloud is home to nearly 200 cybersecurity experts whose mission is to make the internet safer with automated solutions that help organizations combat cybercrime. To learn more and see insights on your company’s exposed data, visit
Recent Posts

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

[What’s New] Check Your Exposure has been expanded with more recaptured data. See Your Results Now

Close this search box.