Ransomware Solutions

Ransomware: How to Get Ahead of Cybercriminals

A recent survey of enterprise CISOs found that ransomware is the most concerning issue they face today. And for good reason: 90% of organizations were affected by ransomware in the last 12 months.

However, typical incident response plans often focus on the later stages of ransomware attacks because that’s when it’s evident that criminals have gotten into your enterprise. It’s typically only then that you may realize that your current detection measures weren’t enough.

To truly understand ransomware attacks, you must understand how criminals can get in the first place, particularly the ways that fall through the cracks of traditional ransomware solutions.

2022 Ransomware
Defense Report
See highlights from our annual survey of 300+ security leaders from North America & the UK.

The Ransomware & Stolen Credentials Connection

Ransomware only works when bad actors gain access to your systems. The easiest way to gain unauthorized access is to use stolen login credentials. In a typical scenario, the ransomware operator obtains credentials through an initial access broker, who purchased or stole them, and provides the credentials to the operator for a fee. Once the bad actor has the credentials they can install the ransomware.

As security efforts and budgets are increasing to fight ransomware, there is still a ransomware problem. Where is the disconnect?

The challenge is that many organizations have a false sense of security thinking layered defenses and traditional solutions for ransomware are enough to secure the perimeter. However, many of the applications businesses use fall outside the scope of traditional security monitoring tools, increasing the attack surface and opening the door for cybercriminals. It’s also important to consider that ransomware and cybercriminals’ methods continue to evolve and become more sophisticated.

Illuminating the Risk of Malware Data as a Precursor to Ransomware Attacks

Enterprises often lack visibility into malware compromises, especially when the infected devices are unmanaged. And even when malware is removed from a device, the damage has typically already been done – information siphoned from the machine including passwords, device and web session cookies, browser fingerprint, and many forms of personally identifiable information (PII) could already be on its way to the criminal underground. Stolen passwords, cookies and fingerprints in particular open the door for ransomware attacks.

Even if your Security Operations Center (SOC) team identifies the malware, wipes the infected device, and considers the issue resolved, the damage could actually just be starting if corporate credentials get into the hands of bad actors. 

A machine-centric SOC process misses the full scope of what a malware-infected device compromises. Without the knowledge of all affected users on all devices – including personal/unmonitored devices – and workforce applications and third-party services like SSO, it’s impossible to confidently close the ticket.

Even with multiple ransomware prevention services and solutions as part of the security framework, the enterprise remains at risk until the full scope of compromised applications are identified and remediated.

Stages of a Ransomware Attack

Sometimes, attacks are purely opportunistic. An attacker may choose to infect a vulnerable organization because they encounter convenient credentials or have other potential access into their network. In other circumstances, the bad actors may go through various stages that follow a more complex attack pattern. 

Stages of a Ransomware Attack

Stages of a Ransomware Attack

Sometimes, attacks are purely opportunistic. An attacker may choose to infect a vulnerable organization because they encounter convenient credentials or have other potential access into their network. In other circumstances, the bad actors may go through various stages that follow a more complex attack pattern. 

Stages of a Ransomware Attack
Research + Reconnaissance
Ransomware Operator: In this stage, the attacker researches the company, including pulling job postings, social media posts, blog comments, press releases, company reports and may even make a list of employees mentioned on the company website and crawl the internet searching for their email addresses. The more they know about a victim, the better they can execute social engineering tactics, such as crafting believable phishing emails to lure them into clicking on a malicious link or opening a dangerous attachment. Criminals use this information to build a dossier on the organization, which may also include third-party contractors, suppliers and other vendors associated with the target company.
Identify Entry Point
Initial Access Brokers: Determining how to best gain access to a particular target without being detected is where IABs play a critical role. Often, these actors work directly on behalf of the ransomware gangs to find vulnerable systems or perform spear phishing campaigns or simply collect harvested credentials and databases from forums and resell them to ransomware gangs.
Gain Access
Ransomware Operator: Once access has been obtained, the next goal is to penetrate the network and establish a foothold. A common entry point is through a public-facing Remote Desktop Protocol (RDP) portal, a Citrix server, or a VNC portal. During this phase (sometimes outsourced, other times performed by ransomware operators themselves), the attacker executes malicious code on one or more systems. This often occurs through credential-based social engineering, most often spear phishing via email or internal messaging services, or by exploiting a software vulnerability. The attacker needs to ensure continued control over a newly compromised system. Typically, they establish a foothold by installing a backdoor or delivering malware to the victim.
Escalate Privileges
Ransomware Operator: Attackers often escalate their privileges through software vulnerabilities or credential exploits, such as password cracking. In many cases, passwords stored on a network have essentially been converted into sets of cryptographic hashes, which, when obtained by criminals, are long strings of scrambled characters that look nothing like the original password. Using various methods, the threat actors can either crack the passwords or use pass-the-hash attacks to obtain cleartext passwords. In an ideal scenario, threat actors will then be armed with a systems administrator’s credentials, giving them freedom to move laterally around the network without arousing suspicion.
Network Propagation
Ransomware Operator: Some malware includes self-propagating features, automatically infecting multiple systems in a network without any extra effort from the criminal actor. In other cases, the attacker may use their initial access to move from system to system within the compromised environment, scanning files to find exposed secrets, additional credentials or configurations. One of the key acts is to develop and deploy a backdoor to slip in and out of during the attack and, in some cases, return to the scene post-attack to inflict more damage. This could happen over a period of months.
Destruction + Encryption
Ransomware Operator: Once the attackers have completed their theft, the ransomware will be deployed and encryption begins. This is often the point when organizations realize they’re under attack. What are the signs your system may have been infected by ransomware? Filenames will change to show that they have been encrypted. You’ll see a mysterious ransom note file on your desktop called openme.txt or something similar, with instructions for how to communicate with the ransomware gang.
Negotiation: Criminals have turned to extortion tactics in recent years, such as threatening to leak victim names or expose potentially damaging information to the public or to competitors. The question for organizations remains the same: how much risk can you tolerate? If you’re a company losing millions of dollars per day or if lives are at stake, you are going to pay. You may be more likely to pay if you’ve got a cyber insurance policy that reimburses you, at least partly, for the payment. But even after paying the ransom, there is no guarantee your files will be returned.
Victim: The ransomware recovery process is costly and time-consuming. While costs vary, organizations can expect to pay for legal fees, lost business, customer outreach, and overall interruption of traditional business operations. Regardless of financial losses, it’s rare that organizations fully recover from a successful attack.

How to Prevent Ransomware Attacks

In today’s threat landscape, backups alone are not effective to fully recover from a ransomware attack. Neither is endpoint protection in a remote work world where employees are accessing corporate applications from personal devices outside of corporate control. Also, contractors and offshore vendors may be using under-managed or personal devices that can pose major security threats.

Since there is no one-size-fits-all when it comes to ransomware attack prevention, it is necessary to have a layered defense focused on quick remediation of exposed credentials and stolen cookies (we call it Post-Infection Remediation).

Steps to prevent ransomware attacks:
Continuously monitor and remediate compromised credentials and stolen cookies
Implement multi-factor
authentication (MFA)
Educate workforce on
cybersecurity best practices
Detect malware infections and stop the bleed with Post-Infection Remediation

Despite these multiple levels of prevention, ransomware continues to wreak havoc on organizations.

The Missing Link: Post-Infection Remediation

Once stolen data gets siphoned by malware, it doesn’t just go away. Data from malware infections gets traded on the criminal underground. And it remains valuable to criminals as long as the credentials and cookies remain active and in-use.

Without access to the actual data that was siphoned by the malware, you are likely missing 70-80% of your compromised assets. A lot of guesswork would be needed to map the employee’s activity during the infection window to identify any compromised applications and remediate the exposed data. The applications themselves might be shadow IT, outside of corporate control, but still might have corporate information saved in them. But since they are unmanaged, you can’t fix what you can’t see.

Post-infection remediation is critical for incident response. For this, you need:

  • Greater visibility of compromised third-party applications
  • Ability to intervene on both corporate and unmanaged devices
  • Significantly shorter enterprise exposure window

Enterprises need a solution to ransomware that facilitates the post-infection remediation of malware infections on both managed and unmanaged devices, mapping the connections between applications, machines, and users to help SOC teams visualize the scope of a threat at-a-glance and respond quickly.

Truly stopping ransomware requires identifying stolen data tied to an enterprise exposed in the dark web so organizations can protect themselves from compromised credentials and hard-to-detect malware infections that serve as common precursors to ransomware attacks.

The only way to do that is to get alerts when data tied to your enterprise is recaptured from the darknet, so you can act on the data criminals are using to target your business.

With SpyCloud, you get enterprise-level, automated account takeover and ransomware prevention powered by Cybercrime Analytics based on actionable darknet insights.

SpyCloud offers the largest collection of recaptured darknet data in the world, combined with the earliest possible recovery. Our proprietary engine quickly ingests data from breaches, malware-infected devices, and other underground sources, then cleanses and enriches the data – adding context to the records so you understand the severity of the exposures (the source, breach description, and the actual password in plaintext). Our customers get notifications of compromised accounts and passwords far sooner with SpyCloud than any other provider.

0 +
0 +


0 +


0 +
Data Types

Learn how SpyCloud's malware insights help EUROCONTROL prevent ransomware attacks.

Cybercrime Analytics-Powered Solutions


The enterprise north star in navigating ransomware prevention through Post-Infection Remediation.

Employee ATO Prevention

Protect your organization from breaches and BEC due to password reuse.

VIP Guardian

Empower your highest-risk employees to secure their online identities.

Active Directory Guardian

Automatically detect and reset exposed Windows accounts.


Ransomware Defense Report Preview

Our annual report shows a surprising increase in organizations that experienced multiple ransomware attacks, the costly impacts of ineffective countermeasures, and future plans to improve defenses.


Botnets are one of the tools that enable bad actors to carry out extensive infostealer attacks. We discuss the risks of botnets, infostealers, and malware infections, and how to close ransomware visibility gaps.

Malware Infected User Guide

Handy guide to decipher what it means when employee or consumer information appears on a botnet log, and how to contact infected users with an action plan.