Ransomware Solutions
Ransomware: How to Get Ahead of Cybercriminals
A recent survey of enterprise CISOs found that ransomware is the most concerning issue they face today. And for good reason: 90% of organizations were affected by ransomware in the last 12 months.
However, typical incident response plans often focus on the later stages of ransomware attacks because that’s when it’s evident that criminals have gotten into your enterprise. It’s typically only then that you may realize that your current detection measures weren’t enough.
To truly understand ransomware attacks, you must understand how criminals can get in the first place, particularly the ways that fall through the cracks of traditional ransomware solutions.
2022 Ransomware
Defense Report
The Ransomware & Stolen Credentials Connection
Ransomware only works when bad actors gain access to your systems. The easiest way to gain unauthorized access is to use stolen login credentials. In a typical scenario, the ransomware operator obtains credentials through an initial access broker, who purchased or stole them, and provides the credentials to the operator for a fee. Once the bad actor has the credentials they can install the ransomware.
As security efforts and budgets are increasing to fight ransomware, there is still a ransomware problem. Where is the disconnect?
The challenge is that many organizations have a false sense of security thinking layered defenses and traditional solutions for ransomware are enough to secure the perimeter. However, many of the applications businesses use fall outside the scope of traditional security monitoring tools, increasing the attack surface and opening the door for cybercriminals. It’s also important to consider that ransomware and cybercriminals’ methods continue to evolve and become more sophisticated.

Illuminating the Risk of Malware Data as a Precursor to Ransomware Attacks
Enterprises often lack visibility into malware compromises, especially when the infected devices are unmanaged. And even when malware is removed from a device, the damage has typically already been done – information siphoned from the machine including passwords, device and web session cookies, browser fingerprint, and many forms of personally identifiable information (PII) could already be on its way to the criminal underground. Stolen passwords, cookies and fingerprints in particular open the door for ransomware attacks.
Even if your Security Operations Center (SOC) team identifies the malware, wipes the infected device, and considers the issue resolved, the damage could actually just be starting if corporate credentials get into the hands of bad actors.
A machine-centric SOC process misses the full scope of what a malware-infected device compromises. Without the knowledge of all affected users on all devices – including personal/unmonitored devices – and workforce applications and third-party services like SSO, it’s impossible to confidently close the ticket.
Even with multiple ransomware prevention services and solutions as part of the security framework, the enterprise remains at risk until the full scope of compromised applications are identified and remediated.
Stages of a Ransomware Attack
Sometimes, attacks are purely opportunistic. An attacker may choose to infect a vulnerable organization because they encounter convenient credentials or have other potential access into their network. In other circumstances, the bad actors may go through various stages that follow a more complex attack pattern.

Stages of a Ransomware Attack
Sometimes, attacks are purely opportunistic. An attacker may choose to infect a vulnerable organization because they encounter convenient credentials or have other potential access into their network. In other circumstances, the bad actors may go through various stages that follow a more complex attack pattern.

Research + Reconnaissance
Identify Entry Point
Gain Access
Escalate Privileges
Network Propagation
Destruction + Encryption
Negotiation
Aftermath
How to Prevent Ransomware Attacks
In today’s threat landscape, backups alone are not effective to fully recover from a ransomware attack. Neither is endpoint protection in a remote work world where employees are accessing corporate applications from personal devices outside of corporate control. Also, contractors and offshore vendors may be using under-managed or personal devices that can pose major security threats.
Since there is no one-size-fits-all when it comes to ransomware attack prevention, it is necessary to have a layered defense focused on quick remediation of exposed credentials and stolen cookies (we call it Post-Infection Remediation).
Steps to prevent ransomware attacks:
Continuously monitor and remediate compromised credentials and stolen cookies
Implement multi-factor
authentication (MFA)
Educate workforce on
cybersecurity best practices
Detect malware infections and stop the bleed with Post-Infection Remediation
Despite these multiple levels of prevention, ransomware continues to wreak havoc on organizations.
The Missing Link: Post-Infection Remediation
Once stolen data gets siphoned by malware, it doesn’t just go away. Data from malware infections gets traded on the criminal underground. And it remains valuable to criminals as long as the credentials and cookies remain active and in-use.
Without access to the actual data that was siphoned by the malware, you are likely missing 70-80% of your compromised assets. A lot of guesswork would be needed to map the employee’s activity during the infection window to identify any compromised applications and remediate the exposed data. The applications themselves might be shadow IT, outside of corporate control, but still might have corporate information saved in them. But since they are unmanaged, you can’t fix what you can’t see.
Post-infection remediation is critical for incident response. For this, you need:
- Greater visibility of compromised third-party applications
- Ability to intervene on both corporate and unmanaged devices
- Significantly shorter enterprise exposure window
Enterprises need a solution to ransomware that facilitates the post-infection remediation of malware infections on both managed and unmanaged devices, mapping the connections between applications, machines, and users to help SOC teams visualize the scope of a threat at-a-glance and respond quickly.
Truly stopping ransomware requires identifying stolen data tied to an enterprise exposed in the dark web so organizations can protect themselves from compromised credentials and hard-to-detect malware infections that serve as common precursors to ransomware attacks.
The only way to do that is to get alerts when data tied to your enterprise is recaptured from the darknet, so you can act on the data criminals are using to target your business.

With SpyCloud, you get enterprise-level, automated account takeover and ransomware prevention powered by Cybercrime Analytics based on actionable darknet insights.
SpyCloud offers the largest collection of recaptured darknet data in the world, combined with the earliest possible recovery. Our proprietary engine quickly ingests data from breaches, malware-infected devices, and other underground sources, then cleanses and enriches the data – adding context to the records so you understand the severity of the exposures (the source, breach description, and the actual password in plaintext). Our customers get notifications of compromised accounts and passwords far sooner with SpyCloud than any other provider.
Assets
Total
Passwords
Email
Addresses
Data Types
Learn how SpyCloud's malware insights help EUROCONTROL prevent ransomware attacks.
EUROCONTROL
Cybercrime Analytics-Powered Solutions
Compass
The enterprise north star in navigating ransomware prevention through Post-Infection Remediation.
Employee ATO Prevention
Protect your organization from breaches and BEC due to password reuse.
Resources

Our annual report shows a surprising increase in organizations that experienced multiple ransomware attacks, the costly impacts of ineffective countermeasures, and future plans to improve defenses.

Botnets are one of the tools that enable bad actors to carry out extensive infostealer attacks. We discuss the risks of botnets, infostealers, and malware infections, and how to close ransomware visibility gaps.

Handy guide to decipher what it means when employee or consumer information appears on a botnet log, and how to contact infected users with an action plan.