USE CASE: RANSOMWARE PREVENTION

Disrupt the Ransomware Attack Chain
with Identity Threat Protection

Ransomware doesn’t begin with file encryption – it begins with compromised identities. SpyCloud stops ransomware before it starts by detecting and remediating exposed credentials, session cookies, and personal data that adversaries use to gain a foothold.

Whether the exposure results from malware, phishing, or a third-party breach, reclaiming control over exposed data means you can cut off initial access, stop lateral movement, and prevent escalation – keeping your organization one step ahead.

Take down ransomware risk at the root

Ransomware attacks often stem from infostealer infections; in fact, recent research found that one-third of ransomware events were preceded by a stealer infection in the previous 16 weeks.

By remediating malware-compromised users and applications early, you can prevent these infections from escalating into a full-blown ransomware attack. 

Early malware infection detection

Uncover user identities affected by infostealer malware that can stealthily exfiltrate credentials and cookies

Proactive remediation

Stop attackers from using stolen authentication data to move laterally or escalate privileges

Accelerated incident response

Integrate actionable identity insights into your workflows to shrink dwell time and minimize ransomware risk

EXPLORE PRODUCTS

SpyCloud’s identity intelligence is your ransomware early warning signal. Cut off initial access by remediating exposed identity data and malware-compromised apps.

Compass Malware Remediation

Neutralize malware threats before they escalate into costly ransomware incidents

Employee ATO Prevention

Stop cybercriminals from using stolen credentials to take over accounts and escalate ransomware campaigns

Employee Session Identity Protection

Protect session cookies that attackers use to bypass MFA and gain initial access

Whenever we get an alert from [SpyCloud] we always follow it up as it is always fresh intel. Using SpyCloud helps us break into the cycle of identity access brokers and remediate compromised accounts before they are used against us.

TRUSTED BY HUNDREDS OF GLOBAL INDUSTRY LEADERS

EXPLORE WHO USES SPYCLOUD

Defenders
we help

SpyCloud is the trusted partner for security leaders, practitioners, and service providers across every industry in the global fight to defeat ransomware and cybercrime.

SOC & Incident response

Accelerate time-to-detection and containment of infostealer infections

CYBER THREAT INTEL

Get actionable intelligence to proactively block ransomware attempts

Managed security providers

Offer clients proactive protection with infection insights and ransomware prevention capabilities

Integrations

We integrate into your existing security tools and workflows so you can accelerate incident response and shut down hidden entry points. Easily add SpyCloud via plug-and-play integrations with leading security platforms.

Next steps

Ransomware starts with identity exposure – end it there

Ransomware Prevention FAQs

Sometimes, attacks are purely opportunistic. An attacker may choose to infect a vulnerable organization because they encounter convenient credentials or have other potential access into their network. In other circumstances, the bad actors may go through various stages that follow a more complex attack pattern.

1. Research + Reconnaissance
In this stage, the attacker researches the company, including pulling job postings, social media posts, blog comments, press releases, company reports and may even make a list of employees mentioned on the company website and crawl the internet searching for their email addresses. The more they know about a victim, the better they can execute social engineering tactics, such as crafting believable phishing emails to lure them into clicking on a malicious link or opening a dangerous attachment. Criminals use this information to build a dossier on the organization, which may also include third-party contractors, suppliers and other vendors associated with the target company.

2. Identify Entry Point
Determining how to best gain access to a particular target without being detected is where IABs play a critical role. Often, these actors work directly on behalf of the ransomware gangs to find vulnerable systems or perform spear phishing campaigns or simply collect harvested credentials and databases from forums and resell them to ransomware gangs.

3. Gain Access
Once access has been obtained, the next goal is to penetrate the network and establish a foothold. A common entry point is through a public-facing Remote Desktop Protocol (RDP) portal, a Citrix server, or a VNC portal. During this phase (sometimes outsourced, other times performed by ransomware operators themselves), the attacker executes malicious code on one or more systems. This often occurs through credential-based social engineering, most often spear phishing via email or internal messaging services, or by exploiting a software vulnerability. The attacker needs to ensure continued control over a newly compromised system. Typically, they establish a foothold by installing a backdoor or delivering malware to the victim.

4. Escalate Privileges
Attackers often escalate their privileges through software vulnerabilities or credential exploits, such as password cracking. In many cases, passwords stored on a network have essentially been converted into sets of cryptographic hashes, which, when obtained by criminals, are long strings of scrambled characters that look nothing like the original password. Using various methods, the threat actors can either crack the passwords or use pass-the-hash attacks to obtain cleartext passwords. In an ideal scenario, threat actors will then be armed with a systems administrator’s credentials, giving them freedom to move laterally around the network without arousing suspicion.

5. Network Propagation
Some malware includes self-propagating features, automatically infecting multiple systems in a network without any extra effort from the criminal actor. In other cases, the attacker may use their initial access to move from system to system within the compromised environment, scanning files to find exposed secrets, additional credentials or configurations. One of the key acts is to develop and deploy a backdoor to slip in and out of during the attack and, in some cases, return to the scene post-attack to inflict more damage. This could happen over a period of months.

6. Destruction + Encryption
Once the attackers have completed their theft, the ransomware will be deployed and encryption begins. This is often the point when organizations realize they’re under attack. What are the signs your system may have been infected by ransomware? Filenames will change to show that they have been encrypted. You’ll see a mysterious ransom note file on your desktop called openme.txt or something similar, with instructions for how to communicate with the ransomware gang.

7. Negotiation
Criminals have turned to extortion tactics in recent years, such as threatening to leak victim names or expose potentially damaging information to the public or to competitors. The question for organizations remains the same: how much risk can you tolerate? If you’re a company losing millions of dollars per day or if lives are at stake, you are going to pay. You may be more likely to pay if you’ve got a cyber insurance policy that reimburses you, at least partly, for the payment. But even after paying the ransom, there is no guarantee your files will be returned.

8. Aftermath
The ransomware recovery process is costly and time-consuming. While costs vary, organizations can expect to pay for legal fees, lost business, customer outreach, and overall interruption of traditional business operations. Regardless of financial losses, it’s rare that organizations fully recover from a successful attack.

There is no one-size-fits-all when it comes to ransomware attack prevention, but it’s necessary to have a layered defense focused on quick remediation of exposed credentials and stolen cookies (we call it Post-Infection Remediation).

Steps to prevent ransomware should include:

  • Continuously monitor and remediate compromised credentials and stolen cookies
  • Implement multi-factor authentication (MFA)
  • Educate workforce on cybersecurity best practices
  • Detect malware infections and stop the bleed with Post-Infection Remediation

Once stolen data gets siphoned by malware, it doesn’t just go away. Data from malware infections gets traded on the criminal underground by Initial Access Brokers. And it remains valuable to criminals as long as the credentials and cookies remain active and in-use.