KELA, a leading provider of cyber threat and exposure intelligence solutions, has released a new report, Inside the Infostealer Epidemic: Exposing the Risks to Corporate Security. It highlights the critical role of infostealer malware in fueling credential theft and enabling ransomware attacks. The report looks to shed light on the evolving cybercriminal ecosystem – revealing how stolen corporate credentials have become a cornerstone of cybercrime operations.
Infostealer activity has surged by 266 percent in recent years, and the threat continues to grow in 2025. Infostealers, which steal credentials, personal data, and other sensitive information, have become a leading driver of identity theft, fraud, and costly data breaches. High-profile incidents like the Black Basta leak have exposed how many ransomware attacks originate from infostealer logs—underscoring the critical role these tools play in enabling ransomware attacks.
The link between infostealer malware and ransomware attacks cannot be ignored. “Our research highlights how cybercriminals are efficiently monetizing stolen credentials, creating a thriving underground market,” said Lin Levi, Threat Intelligence Analyst, at KELA. “Organizations must prioritize proactive measures such as credential security to disrupt these attack chains before they escalate into breaches and ransomware incidents.”
Included amongst the report’s key findings are:
- Infostealer Malware as a Cybercrime Catalyst. Infostealers, which automate credential theft, have surged in popularity, often being sold through Malware-as-a-Service (MaaS) models. These stolen credentials serve as entry points for various cyberattacks, including ransomware.
- The Evolving Market for Stolen Credentials. Cybercriminals are shifting from traditional forums to automated markets and subscription-based models, making credential trading faster and more efficient. Attackers can easily query stolen data, purchase credentials, and exploit them.
- Victim Profiling Reveals Targeted Sectors & Roles. KELA connected 300 infostealer victims from July to August 2024 to affected individuals employed by different companies, uncovering that employees in Project Management (28 percent), Consulting (12 percent), and Software Development (10.7 percent) roles were most frequently affected. Personal computers storing corporate credentials were more commonly infected than work devices, and most compromised credentials belonged to current employees.
- Ransomware Groups Exploiting Stolen Credentials. KELA’s research explored the link between infostealer-compromised accounts and ransomware groups Play, Akira, and Rhysida. In several cases, credentials for victims of these ransomware groups were found on cybercrime marketplaces between five and 95 days prior to the reported attack, suggesting a potential connection between stolen credentials and ransomware infections; the average time was 2.5 weeks.