Infostealers: An Early Warning for Ransomware Attacks

Nearly a third of companies that fell victim to ransomware last year had at least one infostealer infection in the months prior to their attack.

Cyberattacks, but particularly ransomware attacks, only work when they're a surprise. It's why ransom notes through history have almost always opened by simply stating the facts: "Your network has been penetrated," or "Oops, your files have been encrypted." Companies with any notion that an attack is about to come can easily rebuff it simply by backing up and encrypting their files. That's why it's so interesting that, as SpyCloud notes in its 2024 "Malware and Ransomware Defense Report," nearly a third of all ransomware events last year were foreshadowed by an infostealer infection in the 16 weeks prior.

Infostealers before ransomware is a useful combination for attackers. What's less clear is whether it could be useful for defenders, to help reduce attackers' surprise advantage.

Ransomware's Canary?

In a recent attack observed by Sophos, the Qilin ransomware gang breached its target via a VPN portal. It waited 18 days, then deployed a custom infostealer to grab credentials from Google Chrome. Only later did it drop any actual ransomware.

High-level groups like Qilin might have the capacity for turnkey jobs, but perhaps more common are cases where initial access brokers (IABs) partner with ransomware actors to split things up.

Stephen Robinson, senior threat intelligence analyst at WithSecure, was investigating such a case last year. The perpetrator was a Vietnamese malware-as-a-service (MaaS) operation, delivering payloads like the DarkGate remote access Trojan (RAT) against companies in digital marketing. "The thing with [tools like] DarkGate is that it's one of those pieces of malware that will do infostealing or credential stealing, but also a bunch of other functions like cryptocurrency theft, and delivering ransomware," Robinson explains. The Vietnamese threat actors didn't have to perform ransomware attacks themselves. Instead, IABs like them can plant DarkGate — or RedLine, Qakbot, or Raccoon — far and wide, then sell the access they afford to the next baddies down the line, allowing both sides of the exchange to specialize in what they do best.

In its 2024 "Crypto Crime Report," blockchain analysis firm Chainalysis discovered "a correlation between inflows to IAB wallets and an upsurge in ransomware payments." For example, the ransomware group depicted in the chart below spent thousands of dollars with multiple IABs in the course of its multimillion-dollar campaigns.

Source: Chainalysis

"It definitely seems, to me at least, that this is trending upward," says Trevor Hilligoss, vice president of SpyCloud Labs. "It makes sense if you think about it. Malware-as-a-service is easy, it's cheap. A couple hundred bucks a month gets you access to a pre-built package for attacks, and a lot of these stealers have been adding more functionality."

Can Infostealers Be Used to Predict Ransomware?

The literally million-dollar question is this: If 30% of ransomware attacks are preceded by infostealers, can the presence of an infostealer in one's network be used to predict oncoming ransomware, giving defenders a window of time to prepare?

"It really depends on who you are," Hilligoss says. When an infostealer pops up on your network, "If you are an admin of a large, multinational insurance group, I would be very concerned, and I would think that ransomware is probably not too far away. If you're [an individual] person or you're a small business, your alarm would go down proportionally." Chainalysis suggested the same, writing that "monitoring IABs could provide early warning signs and allow for potential intervention and mitigation of attacks."

Robinson takes the less optimistic view, arguing that the first steps in an attack chain tend to look quite similar, no matter the threat actor.

"The issue is that someone gets access, steals some credentials, or installs a remote monitoring management tool (RMM). From that first step, you can't now predict what's going to come next," he says. "We had one case where a network was compromised by five or six different groups. There was North Korea, some cryptocurrency miners, there was a ransomware group, there was an IAB. And you couldn't tell what the next step was going to be for each one of them until they took it, because those first steps were all the same. And that's the thing with infostealers."

Either way, Hilligoss advises, "If you see this happens, then rapidly remediate. Find the exposure, figure out all of the data that was stolen from your network, go through it, and reset those credentials — reset those authentication tokens, reissue those API keys — as quickly as possible. That's going to make it really hard for a ransomware actor that has access to that information to actually use it."