Credential theft isn’t simply an inconvenience. It’s typically the primary transfer in a series response that ends in full-scale compromise.
Past the dreaded password reset course of, data stealers, as proven in a number of current cyberattacks, can have way more consequential follow-on results.
For a lot of small and mid-sized organizations, a single stolen identification can result in days of downtime and dear restoration.
These results are multiplied when positioned in a enterprise context, the place stolen credentials and impersonated digital identities can result in enterprise e mail compromise, ransomware, and extra, costing corporations important downtime and restoration.
An data stealer, or “infostealer,” is a kind of malware that silently collects delicate information from a sufferer’s system and transmits it to risk actors. This malware can steal private data comparable to usernames and passwords, monetary particulars, browser historical past, and different information on a focused system.
One of these malware is usually compact and has restricted performance in comparison with different headline-stealing threats like ransomware. Creators of infostealers sometimes design them to execute shortly, steal information, and self-delete earlier than detection.
Infostealers are simply out there to any motivated risk actor, placing industrial-grade functionality into the palms of entry-level attackers. Entry to a stealer command and management (C2) server operated by the developer can value as little as $50 a month, in response to earlier analysis from the Sophos X-Ops Counter Risk Unit.
What occurs to these credentials as soon as they’re stolen, although? As soon as credentials depart your community, they hardly ever keep unused.
Risk actors can use them in quite a lot of methods, together with extortion, future ransomware deployment, enterprise e mail compromise (BEC), and different pricey cyber assaults.
Extortion
Identical to when risk actors steal recordsdata in a ransomware assault, they’ll extort infostealer victims into paying a ransom in change for not leaking these stolen credentials or private data on deep and darkish net boards.
Within the case of the notorious Snowflake provide chain assault, financially motivated risk actors stole login credentials from a whole lot of companies and individually extorted them. A number of the credentials had been stolen 4 years prior, with organizations utterly unaware of this risk.
If the extorted corporations didn’t pay up, the risk actors behind the assault threatened to leak the credentials or promote them to different risk actors. The resultant extortion of affected corporations led to direct monetary losses and illicit achieve upwards of $2 million, in response to the Cloud Safety Alliance.
For a lot of victims, these shakedowns land with out warning, typically years after an preliminary an infection.
Ransomware assaults
Usually, infostealers are solely the primary stage in an extended assault that ends with ransomware.
Stolen credentials from infostealers are packaged into “logs” and bought on darkish net marketplaces or shared by way of messaging platforms like Telegram. Then, preliminary entry brokers buy these logs, validate the credentials, and resell that entry to ransomware operators.
With the legitimate credentials in hand, unhealthy actors can bypass conventional defenses like phishing filters or vulnerability scans. If multi-factor authentication (MFA) isn’t enforced, the stolen cookies may even grant full entry. As soon as inside, ransomware associates transfer laterally, exfiltrate delicate information, and deploy encryption payloads — locking down techniques and demanding cost.
This legal ecosystem — from infostealers to entry brokers to ransomware operators — capabilities like a provide chain, with every participant specializing in a special stage of the assault. This makes it simpler, sooner, and extra worthwhile to compromise organizations. The truth is, compromised credentials had been the second commonest root explanation for ransomware assaults, in response to the 2025 Sophos State of Ransomware report.
Enterprise e mail compromise
Past ransomware, malicious actors typically exploit stolen credentials in follow-on scams like enterprise e mail compromise (BEC), no matter whether or not they had been the unique thieves.
BEC happens at any time when an adversary is efficiently capable of impersonate a goal enterprise or an worker for that group, to trick targets into believing the emails they obtain are respectable.
In 2023, Sophos X-Ops’ Counter Risk Unit (CTU) noticed risk actors concentrating on lodges with phishing campaigns designed to ship infostealers and compromise their techniques. As soon as contaminated, the risk actors behind the assault harvested credentials for the lodges’ Reserving.com property accounts.
With direct entry to those accounts, the risk actors used respectable Reserving.com messaging channels to contact visitors with upcoming reservations. They despatched convincing phishing messages associated to actual bookings, typically requesting fraudulent funds. As a result of the messages got here from trusted sources and referenced precise reservations, victims had been extra prone to adjust to them.
There was a booming secondary marketplace for these credentials, too. CTU researchers noticed a excessive demand on underground boards for Reserving.com property credentials, and different risk actors requested infostealer logs that embrace credentials for the admin[.]Reserving[.]com property administration portal, which, when logged into, allowed the actors to view any upcoming reservation for a visitor, leveraging that data in malicious emails.
shield your credentials with Sophos
Id has turn out to be the management aircraft for contemporary cyberattacks. Cybercriminals are more and more deploying subtle assaults that leverage compromised identities to achieve unauthorized entry to delicate information and techniques. Ninety % of organizations skilled not less than one identity-related breach throughout the final yr, in response to a 2024 Id Outlined Safety Alliance (IDSA) research.
Sophos Id Risk Detection and Response (ITDR) is purpose-built to cease identity-based assaults in actual time. It constantly screens your setting for identification dangers and misconfigurations, whereas leveraging darkish net intelligence to uncover compromised credentials — even earlier than they’re weaponized.
Organizations can strengthen defenses by taking a proactive stance. Preventative measures, comparable to sustaining good safety hygiene and strengthening identification safety posture earlier than an assault happens, are equally necessary as detection and response efforts, which contain monitoring for assaults and stopping them as soon as they’re underway.
However to make sure your credentials and delicate information are protected, Sophos ITDR can warn you to any potential stolen or leaked credentials earlier than a risk actor is ready to flow into them on-line to others or use them in any follow-on assaults.
With infostealers fueling a rising underground financial system of stolen entry, organizations have to act earlier than credentials are weaponized. Sophos ITDR empowers you to take management, detect threats early, and reply with confidence. Don’t look ahead to the subsequent suspicious login or inbox shock. Take a proactive step towards stronger identification safety — begin your free Sophos ITDR trial immediately.
