Stopping Criminals from Profiting Off Malware Requires a New Approach

By CW Walker, Director, Security Product Strategy at SpyCloud

The first three quarters of 2022 saw the total detection of over 62.29 million new types of malware – approximately 228,000 new threats every day.

While security teams and company leaders focus their attention on the mitigation of ransomware, stealer malware – the quiet precursor – slips through the cracks. Infections are often notoriously difficult to identify and seem to have no immediate consequences. In fact, large corporations, regardless of industry, may suffer from malware for years before an exposure is detected.

Many organizations overlook that ransomware is often a direct result of stealer malware infections. Cybercriminals use the information siphoned from exposed devices to carry out attacks, making proper malware remediation essential for a robust security strategy.

What’s worse, as enterprises deploy innovative solutions and tactics to prevent infection, companies with work-from-home policies and employees using BYOD or personal devices to access corporate applications often create new malware opportunities.

To combat this silent threat, enterprises need a new, more comprehensive remediation process that accounts for darkweb activity and provides more visibility into often unknown and ephemeral malware infections.

The Malware Landscape Is Evolving

One reason malware is difficult to detect is that there are very few indicators when a device is compromised.

For example, if an employee accidentally clicks on a link holding infostealer malware, the malware can install, siphon data, and uninstall itself in five to 10 seconds, leaving little to no evidence of the infection. In a matter of seconds, the employee’s credentials and session cookies are in cybercriminals’ hands.

Likewise, popular infostealers like RedLine Stealer malware are often deployed through phishing emails, links in social media comments, malvertising, or malicious YouTube “tutorials.” If an unaware employee downloads the malware, bad actors have free reign to use the stolen credentials and data to impersonate the user, decreasing the odds that they will be identified as suspicious.

While existing antivirus software offers protection against well-known types of malware, newer variations, such as Redline Stealer, Raccoon or Vidar are much more difficult to detect. Coupled with evolving botnet delivery methods that can evade detection and the fact that many malware infections occur outside of traditional, secure parameters, it’s no surprise companies are struggling to address the threat.

Another crucial aspect to consider is the ongoing threat of exposed data. Traditionally, wiping known malware from the infected device is the most common remediation approach, but it fails to address the already-siphoned information now in the hands of Initial Access Brokers (IABs).

IABs are individuals or groups who package malware-stolen data and sell it on the darkweb. Cybercriminals buy this freshly stolen data and are granted all the information needed for initial network access, making it easy to bypass industry-standard prevention methods like multi-factor authentication (MFA) and deploy ransomware.

As if that wasn’t enough, data sold by IABs is valuable as long as it has not been reset. For example, although the 2019 Facebook breach exposing millions of data points happened several years ago, it’s possible credentials stolen in that attack are still active, making it an ongoing threat to that platform, its employees and its users.

A recent rise of IABs illustrates the underlying factor driving the increasing frequency of malware attacks – a thriving underground economy that weaponizes and monetizes network access.

Current cybersecurity measures are unable to close the gaps that lead to initial malware infections and fail to account for the fallout after a device has been compromised. While endpoint detection and application security monitoring are being used as temporary solutions, it’s not enough.

The Bigger Picture Involves More Comprehensive Remediation

While employee education is the essential first step for a robust security defense, everyone makes mistakes. With the increasing frequency of malware attacks, it’s getting harder and harder to entirely avoid infection. Instead, leaders should proactively mitigate the threat with a Post-Infection Remediation (PIR) approach.

PIR is a series of steps woven within standard malware infection responses that aims to address the lasting threat of exposed data.

The approach works like this: once the Security Operations Center (SOC) has identified an infected device, the IT team takes the standard first step of clearing the infected device. Enterprises in parallel use darkweb monitoring tools and human intelligence (HUMINT) teams to scan the underground for stolen information. The solutions and teams find the user data and trace it back to the initially compromised asset.

Once armed with this knowledge, SOCs begin remediating all compromised credentials and applications impacted by the attack. This can include third-party workforce applications such as Single Sign-On (SSO), code repositories, payroll systems, VPNs, or remote access portals. If all exposed data is reset, it’s unlikely a full-blown ransomware attack will occur.

By going straight to the source of the threat – the darkweb – SOCs gain insight into all exposed devices and applications. SOCs may not monitor personal devices, but if the stolen data is linked to said device, teams can act to remediate these previously unseen entry points, better protecting the organization and the user.

PIR is more comprehensive than legacy, machine-centric malware response processes. Where these methods emphasize device remediation and neglect to consider user identity, PIR takes a more identity-centric approach, considering the personally identifiable information (PII) at risk.

Using this approach, leaders and executives can equip themselves for future success against evolving malware practices. Regardless of whether infected devices are being monitored, IT teams will have full visibility into the scope of the threat, significantly shortening the exposure window for ransomware and other critical threats while closing previously unseen security gaps.

About the Author

CW Walker, Director, Security Product Strategy at SpyCloud, is a cybersecurity and threat intelligence expert. He started his career in government as a threat intelligence analyst and has always been passionate about understanding and creating stories that can be told through the collection and analysis of interesting data. He has led teams of solutions engineers at multiple threat intelligence companies and currently supports SpyCloud’s cybersecurity product strategy. He holds a BS in Political Science and Economics and a Master’s Degree in Strategic Intelligence Studies.

CW can be reached online at https://www.linkedin.com/in/cwrwalker/ and for more information about SpyCloud, visit https://spycloud.com/.