Post-Infection Remediation

Inside the new paradigm for preventing ransomware

The Game Has Changed For Security Operation Centers

Enterprises have the basics covered: data backups, EDR, user training, phishing detection, and threat intel. But cybercriminals’ tactics have changed, and companies that haven’t adapted are already paying a steep price.

When’s the last time your security tools and intelligence alerted you to an unexpected ransomware entry point – like a set of stolen credentials for your code repository or a stolen cookie for your SSO? This data is being siphoned from employee, vendor and contractor machines infected with infostealers.

This lack of visibility is the biggest blind spot in ransomware prevention strategies.

What Is Post-Infection Remediation?

Post-Infection Remediation is SpyCloud’s critical addition to malware infection response – making it possible to understand, visualize, and act on the full scope of the infection’s threat to your business.

Post-Infection Remediation provides a framework of additional steps to existing incident response protocols, designed to negate opportunities for ransomware and other critical threats by resetting the application credentials and invalidating session cookies siphoned by infostealer malware. This optimized remediation enables the SOC to seamlessly and comprehensively  neutralize the risk of ransomware from these exposures.

It’s an approach uniquely enabled by SpyCloud’s Cybercrime Analytics. We alert security teams each time a malware infection arises on a device accessing your workforce applications. The alerts deliver definitive evidence of entry points to your organization: detailed information about the device, along with the siphoned authentication details for the applications that matter to your business – password managers, security tools, marketing and customer databases, learning and collaboration applications, and HR and payroll systems, to name a few.

As a result of Post-Infection Remediation, security teams can now disrupt cybercriminals attempting to harm businesses.

Organizations may not be aware that undetected malware infections on personal devices represent a risky gap in ransomware prevention strategies. Once the siphoned data is circulated on the dark web, criminals can use it for more destructive activities – including their next ransomware attack.
Ted Ross, SpyCloud CEO & Co-Founder

Post-Infection Remediation Demands New Capabilities

Visibility Into Malware-Exposed Workforce Applications

You can’t fix what you can’t see. What’s required for true risk reduction is real-time alerts with detailed evidence of exposed applications – including siphoned third-party logins and stolen cookies that create exponential risk as long as they remain in the hands of criminals.

Identity at the

Today’s machine-centric malware infection response ends when a compromised device is reimaged. With Post-Infection Remediation, you can shift your infection response paradigm to one that’s identity-centric – mitigating organizational risk from exposures tied to the malware victim’s identity.

Action to Stop
Further Attacks

Without actioning on stolen authentication data to prevent its use in future ransomware attacks, you’re left with a false sense of security that leaves the door open for attackers. But with Post-Infection Remediation, the required action becomes clear to reset the credentials and invalidate the sessions for every exposed application and user.

An Example of Post-Infection Remediation

Scenario: Single Sign-On Exposure

An organization leverages SSO to enable users to access many corporate applications via one set of credentials. An HR manager is infected with infostealer malware, allowing the cybercriminal to acquire a session cookie for the SSO instance, which then gives them direct access to dozens of other applications, including the payroll system, benefits service (housing sensitive employee PII), the applicant tracking application, and much more. As a result, the criminal gains access to data that can be sold to ransomware operators to use for employee impersonation, or more directly, in attempts to divert payroll to a criminal’s account. 

SpyCloud-Enabled Post-Infection Remediation Steps:

The security team should swiftly notify the employee of the malware infection and isolate their device. After removing the malware:

Invalidate SSO Sessions

Clear the user’s sessions on all devices, which invalidates the cookie siphoned by the malware and will lock the bad actor out of the SSO portal that grants access to multiple corporate applications.

Reset SSO Password

Require the user to reset their password.

Review Access Logs

Review the user’s activity and access within the scope of the application. Confirm that all access was driven by the user and coming from their expected IP addresses and devices.

Repeat Steps 1-3 for Each Application Accessible Via SSO

Because the malware siphoned an active SSO session cookie that enables access to every application in the SSO portal, the organization must assume that all applications the HR manager had access to are compromised. Clear the sessions and require password resets for each, and periodically review the login histories for suspicious activity.

SpyCloud Enterprise Protection With Post-Infection Remediation

SpyCloud Enterprise Protection, powered by Cybercrime Analytics, stops bad actors from disrupting business productivity with cyberattacks. Our solution includes Employee ATO Prevention, Compass, and Integrations, available in a single pane of glass that delivers instant discovery and agentless implementation. With SpyCloud’s Post-Infection Remediation, enterprises are empowered to remediate infections with confidence and proactively prevent ransomware.

Featured Resources


Post-Infection Remediation is the missing piece to your ransomware prevention strategy. Read this guide for seven steps to truly remediate malware-infected devices.

Ransomware Defense Report Preview

Our annual report shows a surprising increase in organizations that experienced multiple ransomware attacks, the costly impacts of ineffective countermeasures, and future plans to improve defenses.


Malware infections siphon valuable data like fresh credentials and web session cookies, giving bad actors the virtual keys to your enterprise. SpyCloud breaks down malware infections and offers context into the steps criminals take and what can be done to stop this insidious threat.