The Malware That Watches Before It Strikes: Infostealer Infections and Canadian SMB Ransomware Risk

Most ransomware attacks on Canadian businesses do not begin with a dramatic intrusion. They begin quietly — weeks or months before the ransom demand appears — with a piece of malware called an infostealer that no one noticed. Understanding that timeline changes how you think about ransomware prevention.

What an Infostealer Does

An infostealer is a category of malware engineered to harvest credentials, session cookies, and sensitive data from an infected device without triggering visible symptoms. Unlike ransomware, which announces itself, or destructive malware, which causes visible damage, infostealers are designed to be invisible. Their job is to collect and transmit data silently over weeks or months.

The most widely deployed infostealer families in 2025 — Lumma, Redline, Raccoon, and Vidar — typically arrive via phishing emails, malicious ads (malvertising), cracked software downloads, or fake browser extension updates. Once installed, they extract:

• Saved passwords from Chrome, Edge, Firefox, and Safari browser vaults
• Session cookies — the authentication tokens that keep users logged into web applications
• VPN credentials and configuration files
• Cloud service API keys and access tokens
• Cryptocurrency wallet keys
• Autofill data, including financial details and addresses

The stolen data is packaged into a compressed archive called a "log" — organized by application — and transmitted to a criminal server. Logs are then sold on dark web marketplaces or used directly by the operators.

The Direct Link Between Infostealers and Ransomware

The 2026 Verizon Data Breach Investigations Report, which analyzed more than 31,000 security incidents and 22,000 confirmed data breaches across 145 countries, identified a critical pattern: 73% of ransomware victims had an associated infostealer infection or credential leak event in the 12 months prior to the ransomware attack. Of those, 50% experienced the credential event within 95 days of the attack.

The attack sequence looks like this:

1. An employee device is infected with infostealer malware, often going undetected

2. Credentials and session cookies are extracted and sold on criminal marketplaces

3. A ransomware affiliate purchases the access

4. The actor authenticates to your VPN, RDP, or cloud environment using stolen credentials

5. They move laterally, escalate privileges, exfiltrate data, then deploy ransomware

The ransomware event is not the beginning of the attack. It is the final act of a compromise that began weeks or months earlier — with a malware infection no one detected.

The Verizon DBIR adds a further detail worth noting: small organizations in its dataset had a median of 7 credential leak events per year. For most Canadian SMBs, this is not a question of whether credentials have been compromised — it is a question of whether the organization would know.

The Scale of the Credential Marketplace

The criminal ecosystem feeding this pipeline has reached industrial scale. The IBM X-Force Threat Intelligence Index 2026 found that infostealer malware led to the advertisement of more than 300,000 stolen ChatGPT credential sets on dark web marketplaces in 2025 alone. Raccoon and Vidar were identified as primary malware families behind this wave, specifically targeting browser-stored credentials for SaaS platforms alongside traditional enterprise tools. AI services have reached the same credential risk profile as core enterprise applications.

The implication is direct: any organization with employees using browser-saved passwords for work applications has likely already contributed logs to these marketplaces without knowing it.

Why Canadian SMBs Are Disproportionately Exposed

Three factors create elevated infostealer exposure for Canadian SMBs specifically:

BYOD policies without security baseline enforcement. Many Canadian SMBs allow employees to use personal devices for work applications, or have no formal device management policy. Personal devices frequently run outdated software, lack endpoint detection coverage, and have browser vaults mixing personal and work credentials. When a personal device running a synchronized work browser profile is infected, the resulting log contains credentials for business VPNs, Microsoft 365, cloud platforms, and internal applications.

Password reuse between personal and work accounts. The CCCS Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), v1.2 lists strong unique passphrases as a baseline requirement precisely because credential reuse between personal and business accounts remains widespread. A personal account compromised in an unrelated consumer data breach becomes a business system credential if the same password is used.

No visibility into credential compromise. Enterprise security programs run automated dark web monitoring that alerts security teams when employee credentials appear on criminal marketplaces. Most Canadian SMBs have no equivalent — meaning compromised credentials may circulate for months before the business is aware. Statistics Canada's 2023 Canadian Survey of Cyber Security and Cybercrime found that only 26% of Canadian businesses had written cybersecurity policies in place. Undetected credential exposure is a direct operational consequence of that gap.

The Session Cookie Problem That Bypasses MFA

One reason infostealers are particularly dangerous even for organizations that have deployed MFA: they do not steal your password at login time. They steal the session cookie issued after a successful login.

Session cookies are the tokens that tell Microsoft 365, Google Workspace, your VPN, and every web application that you have already authenticated — including with MFA. When an infostealer extracts a live session cookie from your browser, an attacker can inject that token into their own browser and immediately access your environment, without triggering an MFA challenge.

This is distinct from adversary-in-the-middle phishing, which intercepts tokens at login. Infostealers capture them from memory and browser storage post-login — meaning even a user with phishing-resistant hardware keys remains exposed if an infostealer is running on their device. The Microsoft Digital Defense Report 2025 documents the rise of token theft as a primary attack technique, noting that captured session tokens can maintain attacker access for hours or days before detection.

The Canadian Cost Picture

The financial exposure is not theoretical. IBM's 2025 Canada Cost of a Data Breach findings placed the average cost of a Canadian cyber breach at CA$6.98 million — a 10.4% year-over-year increase. Phishing-initiated breaches, which frequently involve credential theft as a precursor, averaged CA$7.91 million for Canadian organizations.

The CIRA 2025 Cybersecurity Survey found that 43% of Canadian organizations experienced a cyber attack in the past 12 months, 24% reported being ransomware victims, and of those, 74% paid the ransom.

The CCCS National Cyber Threat Assessment 2025-2026 documents average year-over-year growth of 26% in ransomware incidents since 2021, noting that ransomware actors have adapted to law enforcement pressure and rebuilt their operational infrastructure. Canadian organizations' recovery spending from cyber incidents reached $1.2 billion in 2023 — double the $600 million spent in 2021, according to Statistics Canada.

Five Controls That Address the Infostealer Threat

1. Deploy endpoint detection and response (EDR) on every device accessing business systems.

Traditional antivirus detects known malware signatures. EDR detects anomalous behaviour — the process injection, credential dumping, and network callbacks that infostealer malware performs — even for variants it has not seen before. EDR coverage must include every device with access to business applications, including BYOD devices. A coverage gap on personal devices is the exposure.

2. Eliminate browser-saved passwords and deploy a managed business password manager.

Browser credential vaults are the primary target of infostealer malware. A managed business password manager — 1Password Business, Bitwarden Business, or Keeper Security — stores credentials in an encrypted vault rather than the browser, prevents employees from saving passwords to local browser storage, and enables the IT administrator to enforce rotation and revoke access when an employee departs. This eliminates the highest-value target category in most infostealer logs.

3. Shorten session lifetimes and enforce device compliance checks.

In Microsoft Entra ID, Conditional Access policies can be configured to require re-authentication after defined periods and to evaluate device health at each session. A compromised session cookie that triggers a fresh compliance check every few hours is significantly less useful to an attacker than one valid for 30 days. Session lifetime management is addressed in CCCS guidance ITSM.30.031 as part of the broader identity protection posture.

4. Implement dark web credential monitoring.

Multiple security platforms — including tools integrated into Microsoft Defender for Business and standalone services — monitor criminal marketplaces for newly posted credential logs matching your email domain. When a match is found, the affected account can be force-reset before the purchased credentials are used for initial access. This capability is now a standard question on Canadian cyber insurance underwriting questionnaires. Knowing within days of a credential appearing on dark web markets, rather than months later, changes the risk exposure substantially.

5. Establish a device security baseline for any device accessing work applications.

Whether you operate a full mobile device management (MDM) solution or rely on Conditional Access policies requiring device compliance before granting access to Microsoft 365 and other business applications, the goal is ensuring that devices touching your environment run current operating systems, have endpoint protection active, and can be remotely wiped if compromised. The CCCS Baseline Cyber Security Controls v1.2 identifies device management as one of its 13 organizational controls precisely because the device is where infostealer infections originate.

**The operational summary:** The Verizon DBIR finding that 73% of ransomware victims had a prior credential compromise event is not primarily a ransomware statistic — it is an infostealer statistic. The credential theft happened first. Closing the infostealer exposure — EDR, managed password management, credential monitoring, short session lifetimes — is a more direct path to ransomware prevention than most Canadian SMBs recognize.

Sources

• Verizon. *2026 Data Breach Investigations Report.* verizon.com
• IBM Security. *X-Force Threat Intelligence Index 2026.* ibm.com
• IBM Canada. *IBM Report: Canadians' Data Security Under Increased Threat, While Breach Costs Surge.* July 2025. canada.newsroom.ibm.com
• Microsoft. *Microsoft Digital Defense Report 2025.* October 2025. news.microsoft.com
• Canadian Centre for Cyber Security. *National Cyber Threat Assessment 2025-2026.* October 2024. cyber.gc.ca
• Canadian Centre for Cyber Security. *Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), v1.2.* January 2026. cyber.gc.ca
• Canadian Centre for Cyber Security. *Defending against adversary-in-the-middle threats with phishing-resistant multi-factor authentication (ITSM.30.031).* cyber.gc.ca
• CIRA. *2025 Cybersecurity Survey.* cira.ca
• Statistics Canada. *Canadian Survey of Cyber Security and Cybercrime (CSCSC).* statcan.gc.ca

Cloud Forces helps Canadian SMBs deploy endpoint detection and response, dark web credential monitoring, and Conditional Access policies that reduce the attack surface infostealer malware exploits. Explore our cybersecurity services or book a free endpoint security assessment.