Skip to main content

How to Get Ahead of Cybercriminals

A recent survey of enterprise CISOs found that ransomware is the most concerning issue they face today. And for good reason: 66% of organizations were hit by ransomware in 2021, compared to 37% in 2020. However, typical incident response plans often focus on the later stages of ransomware attacks because that’s when it’s evident that criminals have gotten in. It’s typically only then that you may realize that your current detection measures just weren’t enough. To truly understand ransomware attacks, you must understand how criminals can get in the first place, particularly the ways that fall through the cracks of traditional ransomware prevention strategies.

The Ransomware & Stolen Credentials Connection

Ransomware only works when bad actors gain access to your systems. The easiest way to get unauthorized access is to use stolen login credentials. In a typical scenario, the ransomware operator obtains credentials through an initial access broker, who has purchased or stolen them and provides them to the operator for a fee.

One of the most straightforward approaches to ransomware prevention is to treat it as a follow-on attack from another, more ubiquitous credential problem: account takeover (ATO). The goal of ATO is for criminals to perpetrate all manner of malicious activities, not limited to ransomware, without being detected. ATO often serves as a precursor to ransomware attacks.

Even with layered defenses, accounts and devices that put enterprises at risk are still getting compromised. Each compromised asset represents a critical attack vector:

Problem for Enterprises

Illuminating the Risk of Malware Data as a Precursor to Ransomware Attacks

Enterprises often lack visibility into malware compromises, especially when the infected devices are unmanaged. And even when malware is removed from a device, the damage has typically already been done – information siphoned from the machine including passwords, device and web session cookies, browser fingerprint, and many forms of personally identifiable information (PII) could already be on its way to the criminal underground. Stolen passwords, cookies and fingerprints in particular open the door for ransomware attacks.

Even if your Security Operations Center (SOC) team identifies the malware, wipes the infected device, and considers the issue resolved, the damage could actually just be starting if corporate credentials get into the hands of bad actors. 

A machine-centric SOC process misses the full scope of what a malware-infected device compromises. Without the knowledge of all affected users on all devices – including personal/unmonitored devices – and workforce applications and third-party services like SSO, it’s impossible to confidently close the ticket.

The enterprise remains at risk until the full scope of compromised applications are identified and remediated.

Stages of a Ransomware Attack

Sometimes, attacks are purely opportunistic. An attacker may choose to infect a vulnerable organization because they encounter convenient credentials or have other potential access into their network. In other circumstances, the bad actors may go through various stages that follow a more complex attack pattern. 

Stages of a Ransomware Attack

How to Prevent Ransomware Attacks

In today’s threat landscape, backups alone are not effective to recover from a ransomware attack. Neither is endpoint protection in a remote work world where employees are accessing corporate applications from personal devices outside of your control. A layered defense focused on credential management is required – one in which proactive monitoring and remediation of compromised credentials and malware-infected devices is considered essential. 

Continuously monitor and remediate compromised credentials and stolen cookies
Implement multi-factor
authentication (MFA)
Educate workforce on
cybersecurity best practices
Detect active and recent
malware infections

The Missing Link: Post-Infection Remediation

Once stolen data gets siphoned by malware, it doesn’t just go away. Data from malware infections gets traded on the criminal underground. And it remains valuable to criminals as long as the credentials and cookies remain active and in-use.

Without access to the actual data that was siphoned by the malware, you are likely missing 70-80% of your compromised assets. A lot of guesswork would be needed to map the employee’s activity during the infection window to identify any compromised applications and remediate the exposed data. The applications themselves might be shadow IT, outside of corporate control, but still might have corporate information saved in them. But since they are unmanaged, you can’t fix what you can’t see.

Post-infection remediation is critical for incident response. For this, you need:

  • Greater visibility of compromised third-party applications
  • Ability to intervene on both corporate and unmanaged devices
  • Significantly shorter enterprise exposure window


Enterprises need a solution that facilitates the post-infection remediation of malware infections on both managed and unmanaged devices, mapping the connections between applications, machines, and users to help SOC teams visualize the scope of a threat at-a-glance and respond quickly.

Truly stopping ransomware requires identifying stolen data tied to an enterprise exposed in the dark web so organizations can protect themselves from compromised credentials and hard-to-detect malware infections that serve as common precursors to ransomware attacks. The only way to do that is to have access to a comprehensive, constantly updated, real-time database of recaptured data.

With SpyCloud, you get enterprise-level, automated account takeover prevention powered by actionable darknet insights.

SpyCloud offers the largest collection of recaptured darknet data in the world, combined with the earliest possible recovery. Our proprietary engine quickly ingests data from breaches, malware-infected devices, and other underground sources, then cleanses and enriches the data – adding context to the records so you understand the severity of the exposures (the source, breach description, and the actual password in plaintext). Our customers get notifications of compromised accounts and passwords far sooner than any other provider.

Learn more about companies are using SpyCloud to prevent ransomware attacks

Learn how SpyCloud's malware insights help EUROCONTROL prevent ransomware attacks.

Featured Products

Employee ATO Prevention

Protect your organization from breaches and BEC due to password reuse.

VIP Guardian
VIP Guardian

Empower your highest-risk employees to secure their online identities.

Active Directory Guardian

Automatically detect and reset exposed Windows accounts.


Ransomware Defense Report Preview

Our annual report shows a surprising increase in organizations that experienced multiple ransomware attacks, the costly impacts of ineffective countermeasures, and future plans to improve defenses.


On-Demand Webinar: We break down the ransomware ecosystem, adversary groups’ latest tactics, and strategies to mitigate your risk and avoid paying millions to ransomware gangs.

Malware Infected User Guide

Handy guide to decipher what it means when employee or consumer information appears on a botnet log, and how to contact infected users with an action plan.