The role of stolen credentials in cyberattacks is growing more significant, impacting everything from ransomware assaults to nation-state cyber warfare. These illicitly obtained credentials grant unauthorized users legitimate access, enabling them to infiltrate networks with ease and operate discreetly. This has led to a noticeable surge in ransomware incidents, underscoring the severity of the threat.
The Industrial Scale of Credential Theft
The market for stolen credentials is vast and sophisticated. Infostealers, advanced tools designed to extract sensitive information, facilitate the mass theft and subsequent sale of credentials. According to Ontinue, listings linked to LummaC2 alone surged by 72%, with high-value cloud console credentials priced between $1,000 and $15,000. This industrialization of credential theft is a crucial enabler for cybercriminal activities.
Ransomware attacks have notably benefited from the availability of stolen credentials. Tracking over 7,000 incidents and 129 active groups through 2025, these attacks continue to evolve. Despite a slight decrease in ransom payments from $892 million in 2024 to $820 million in 2025, the strategy behind these attacks is shifting.
Ransomware Evolution and Multi-layer Extortion
Large organizations have increased their defenses, driven by both potential financial losses and governmental pressure to avoid ransom payments. Consequently, ransomware groups are now targeting smaller businesses with demands for lower payments, while simultaneously employing more aggressive tactics. These include data theft, operational disruption, and implementing multi-layer extortion strategies.
Modern ransomware not only encrypts data but also threatens to leak or sell it, even if the ransom is paid. Nathaniel Jones of Darktrace highlights this trend, pointing out the rise of double and triple extortion tactics. Attackers have also started leveraging AI to enhance phishing and malware development, further complicating the cyber defense landscape.
Adapting to Advanced Cyber Threats
Stolen credentials are also being used to fuel supply chain and SaaS attacks. Notable campaigns in 2025, such as the Salesloft Drift OAuth campaign and the Shai-Hulud npm worm, highlight the trust breaches enabled by these credentials. With geopolitical tensions escalating, cyberattacks are increasingly targeting civilian infrastructures, driven by both financial and political motivations.
To counter these sophisticated threats, cybersecurity strategies must evolve. Mark McClain, CEO of SailPoint, emphasizes the need for adaptive identity solutions that differentiate between normal and suspicious user behavior. By integrating identity, security, and data contexts, organizations can make real-time access decisions to mitigate risks without disrupting operations.
The future of cybersecurity lies in treating identity as the core control plane. This involves closely monitoring authentication activities and securing all identities, both human and non-human, with equal diligence. As Ontinue outlines, success in this new landscape will depend on how security is applied across identity, rather than the strength of traditional security perimeters.
