Like an inverted pyramid, the range of different attack modes are now built on top of the single point of identity abuse.
Stolen credentials are a major threat. Legitimate credentials illegitimately acquired provide legitimate access to illegitimate actors. Once inside the network, these bad actors have greater ability to move and act in stealth. The continuing rise in ransomware attacks bears testament.
The theft and resale of credentials operates on an industrial scale. Fueled by the rise of increasingly more sophisticated infostealers, stolen credentials are packaged into ‘logs’ and sold to criminals on the black market. Ontinue reports, “Listings tied to LummaC2 alone surged by 72%, with high-privilege cloud console credentials selling for $1,000–$15,000+.”
Ransomware has been one of the primary beneficiaries of stolen credentials. More than 7,000 incidents and 129 active groups were tracked through 2025. At the same time, ransom payments decreased slightly from $892M in 2024 to $820M in 2025. This apparent contradiction is actually logical.
“Larger targets, with larger payout potential, will have seen the most aggressive corporate investment (process and technology) mitigating exposure to this attack pattern,” explains Trey Ford, chief strategy and trust officer at Bugcrowd. These larger targets are also more susceptible to government pressure to not pay ransoms, and ransomware income has consequently declined. The ransomware groups have responded with more attacks demanding smaller payments from more but smaller companies.
These bad actors have simultaneously increased the pain threshold. Theft of data for blackmail has been growing for several years but is now often supplemented with operational disruption. “Beyond encrypting endpoints, attackers disrupt the ability to operate by wiping systems, deleting backups, sabotaging virtualization, attacking OT/ICS-adjacent services, or breaking identity/administration planes.”
Think of modern ransomware as a multi-layer extortion machine, it continues. “Even when victims avoid paying, they are still dealing with downtime, regulatory exposure, third-party disruption, and long recovery cycles.” Nathaniel Jones, VP of security & AI strategy, and field CISO at Darktrace, adds, “Rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data.”
At the same time, adversarial use of AI to assist in attacks is growing. Sophisticated and compelling phishing attacks are already evident, but Ontinue has also seen “the first meaningful signs of LLM-assisted malware development in 2H 2025.” This isn’t yet autonomous malware, but are signs that attackers are using AI to assist malware development for speed and features.
“LLMs didn’t write the malware, but they wrote large pieces of it,” says Ontinue. “This lowers the bar dramatically. Adversaries with minimal engineering ability now ship tools that look more professional but still contain fundamental security flaws.”
Stolen credentials are also fueling supply chain and SaaS attacks. The two big examples from 2025 are the Salesloft Drift OAuth campaign (with more than700 victim organizations) and the Shai-Hulud npm worm. Both campaigns abused the trust necessary in modern business infrastructure, with that trust breached by legitimate but stolen credentials.
The increase in global geopolitical tension has further increased and complicated the cybersecurity battlefield – and has probably decreased any remaining ‘honor among thieves’. The Shai-Hulud actor (financially motivated rather than nation state motivated), for example, may attempt to delete the target’s home directory if it finds little to harvest. “This nihilistic ‘scorched earth’ fallback is new and signals the author’s willingness to cause irreversible damage,” notes Ontinue.
Such behavior has traditionally been associated with nation state political motivations. This is widening. It is no longer government against government: targets now include civilian entities while attackers include politically motivated citizens as well as elite nation state actors. Ontinue quotes three examples: North Korea’s Lazarus Group $1.5B cryptocurrency theft; wiper attacks targeting Polish civilian infrastructure by Ghost Blizzard; and record-setting DDoS activity peaking at 31.4 Tbps via botnets with more than 500,000 IPs.
There is little sign that geopolitically motivated attacks are likely to decrease in the immediate future – they are more likely to increase. Prompted by the US/Israel war against Iran, Iranian actors used wipers in the attack against Stryker earlier this year.
The base of this inverted pyramid of malicious activity is occupied by infostealers fueling the activity. Infostealers are a successful tool for malicious actors. They use social engineering to get installed. Industry is yet to find a successful method to prevent social engineering, so it is unlikely that we will be able to stop infostealers. The implication is organizations should assume that attackers have or will obtain legitimate identities to use in their attacks.
This means that more energy must be applied to recognizing and blocking the misuse of credentials while in use rather than simply trying to prevent their theft. “To combat today’s new era of threats, driven by the force multiplier of AI, we need to embrace a new approach of adaptive identity,” says Mark McClain, CEO at SailPoint.
“Modern identity tools need to be able to discern between regular user activity and abnormal activity, and grant – or deny – access accordingly. Every access decision is driven by who or what the identity is, the context of the data they touch, and the security signals surrounding them. By unifying identity, security, and data contexts, businesses can make real-time decisions to mitigate risk without disrupting operations.”
Ontinue summarizes this. “The organizations that will succeed in this new landscape will not necessarily be those with the strongest perimeters, but those that rethink how security is applied across identity. This means treating identity as the core control plane, monitoring authentication activity as closely as endpoint behavior, and securing both human and non-human identities with equal rigor.”
Related: AI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest Link
Related: Iran Readied Cyberattack Capabilities for Response Prior to Epic Fury
Related: Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Related: 136 NPM Packages Delivering Infostealers Downloaded 100,000 Times
