Ransomware attacks are greatly aided by infostealer malware. A new report from security firm KELA shows that the use of infostealers has increased by 266 percent. Not only that, but adoption will only increase in 2025.
Infostealers have become an important tool for cybercriminals. This malware collects login credentials, personal data, and other sensitive information, which can then be used for identity theft, fraud, and data breaches. In its latest report, “Inside the Infostealer Epidemic,” KELA points to cases such as the Black Basta attack, which made it clear that many ransomware incidents start with data collected by infostealers.
Read more: Cybercriminals shift to subtle identity theft
Malware-as-a-Service
A worrying development is that infostealers are increasingly being offered through Malware-as-a-Service (MaaS) programs. These services automate the theft of login credentials, with the stolen data later serving as initial access for attacks. This includes ransomware. This makes it easier for criminals without technical knowledge to participate in cyberattacks. All they have to do is pull out their wallets and gather the necessary resources.
The trade in stolen login credentials is also shifting. Whereas this used to take place on traditional forums, automated marketplaces and subscription services are now increasingly being used. This significantly speeds up the search, purchase, and misuse of compromised accounts. As a result, the time between stealing data and carrying out an attack is becoming shorter and shorter.
The consequences are already noticeable around the world, as information has been gathered on millions of devices and from a near-equal number of employees worldwide. IT employees in particular often fall victim, which is especially worrying given their access to company networks.
Who are the victims?
KELA investigated 300 infostealer infections in the period July-August 2024, finding that project management (28%), consulting (12%), and software development (10.7%) were the most affected functions. The technology sector was the main target, with Brazil as the most affected region.
It is striking that personal computers on which company login details were still stored were compromised more often than work computers. Most of the exposed login details belonged to current employees, so in principle organizations should be able to educate them about proper use.
Infostealers can infiltrate systems in various ways, such as through phishing emails, malicious attachments, or compromised websites. They collect information by taking screen shots, recording keystrokes, taking over browsers, and stealing locally stored passwords.
Link to ransomware attacks
A worrying finding in the report is the clear link between infostealers and ransomware groups. For several victims of the Play, Akira, and Rhysida ransomware groups, relevant login credentials appeared on cybercrime marketplaces 5-95 days (on average about 2.5 weeks) before the reported attack.
This points to a possible supply chain between infostealer operators and ransomware groups. Criminals who distribute infostealers sell the stolen data to ransomware groups, which then use it to infiltrate networks.
Recommended measures
KELA advises organizations to take proactive security measures. These include continuous threat monitoring, strict access control, robust endpoint security, and regular security awareness training for employees.
Given the rapid rise of infostealers and their role in ransomware attacks, it is essential for companies to be aware of this threat and take appropriate measures. With the right precautions, organizations can significantly reduce the risk of credential compromise and subsequent attacks.
Also read: Fake LDAPNightmare exploit on GitHub spreads infostealer malware