Ransomware operations are increasingly enabled by infostealers that harvest and sell credentials and session tokens to Initial Access Brokers, enabling validated enterprise access and rapid ransomware deployment often within 48 hours. This convergence compresses attacker dwell time, elevates credential-driven extortion risk, and demands stronger credential hygiene, endpoint visibility, and identity-focused defenses. #RedLine #Lumma
Keypoints
- Infostealers (e.g., RedLine, Vidar, Lumma, Raccoon, MetaStealer, StealC) are the primary source of harvested credentials used to enable ransomware access.
- Approximately 149 million stolen credentials were exposed in January 2026 alone, reflecting a dramatic increase in credential availability for attackers.
- Stolen credentials and session cookies are regularly sold on underground marketplaces and via Initial Access Brokers (IABs), who categorize and price access for ransomware affiliates.
- Ransomware deployment frequently follows credential exposure within 48 hours, compressing detection and response windows for defenders.
- Credential reuse, session cookie theft, and MFA bypass via stolen tokens are key enablers of rapid lateral movement and privilege escalation.
- Defensive priorities should shift toward identity protection, early stealer detection, endpoint visibility, and integration of stealer/IAB intelligence into SOC workflows.
MITRE Techniques
- [T1566 ] Phishing – Used as a dominant delivery vector for infostealers: [‘Phishing emails with malicious attachments or links.’]
- [T1189 ] Drive-by Compromise – Browser-based redirections and malvertising led to stealer delivery: [‘Malvertising campaigns redirecting users to trojanized software.’]
- [T1059 ] Command and Scripting Interpreter – Infostealers execute scripts and commands to enumerate and exfiltrate credentials: [‘Once executed, infostealers quickly enumerate the host system to collect credentials…’]
- [T1555 ] Credentials from Password Stores – Stealers extract credentials from browser stores and password managers: [‘Common targets include browser-stored credentials…’]
- [T1539 ] Steal Web Session Cookie – Stolen session cookies were highlighted as enabling MFA bypass and token abuse: [‘The use of stolen session cookies allows attackers to bypass multi-factor authentication (MFA)…’]
- [T1003 ] OS Credential Dumping – Techniques to extract system credential artifacts support lateral movement and privilege escalation: [‘…extract sensitive data from infected systems…’]
- [T1082 ] System Information Discovery – Infostealers enumerate system metadata to identify valuable targets: [‘infostealers quickly enumerate the host system to collect credentials and other valuable artifacts.’]
- [T1016 ] Network Service Discovery – Attack chains include discovery of network services to map enterprise access points: [‘…collect credentials and other valuable artifacts’ implies network discovery to enable follow-on access.’]
- [T1027 ] Obfuscated Files or Information – Stealers and delivery artifacts use obfuscation to evade detection: [‘Stealer families and their delivery methods prioritize high infection volume over persistence…’]
- [T1562 ] Impair Defenses – Listings and tools for AV/EDR bypass and sideloading were observed in underground ads: [‘Example of underground forum advertisement for AV/EDR bypass and sideloading tools’]
- [T1021 ] Remote Services – Valid remote services and VPN access harvested by stealers are used for lateral movement: [‘Corporate VPN credentials’]
- [T1078 ] Valid Accounts – Stolen valid accounts and cookies are used for persistence and privilege escalation: [‘Valid account abuse consistently identified as a leading initial access vector.’]
- [T1071 ] Application Layer Protocol – Stealers and C2 employ application-layer protocols to communicate and exfiltrate data: [‘Stealer-related command-and-control infrastructure’]
- [T1102 ] Web Service – Exfiltration and marketplace activity leverage web services and Telegram channels for data movement and sales: [‘sold through underground forums, Telegram channels, and dedicated log marketplaces.’]
- [T1041 ] Exfiltration Over C2 Channel – Infostealers exfiltrate harvested credentials via C2 channels: [‘Once executed, infostealers quickly enumerate the host system to collect credentials and other valuable artifacts.’]
- [T1567 ] Exfiltration Over Web Service – Stolen logs and credentials are uploaded and sold via web-based log marketplaces and channels: [‘stolen data…sold through underground forums, Telegram channels, and dedicated log marketplaces.’]
- [T1486 ] Data Encrypted for Impact – Ransomware affiliates perform encryption as the primary monetization and extortion step: [‘Data Encrypted for Impact’]
- [T1657 ] Data Manipulation – Multi-stage extortion includes manipulation of victim data as part of pressure tactics: [‘Data Manipulation’]
- [T1499 ] Endpoint Denial of Service – Denial-of-service tactics are noted as potential impact actions alongside encryption and exfiltration: [‘Endpoint Denial of Service’]
Indicators of Compromise
- [Malware Families ] Infostealer family names observed in telemetry and marketplaces – RedLine, Vidar, and other families such as Lumma and Raccoon.
- [Credentials / Accounts ] Types of stolen access used for follow-on attacks – corporate VPN credentials, Microsoft 365 or domain account credentials.
- [Session Artifacts ] Session and token artifacts used to bypass MFA and enable lateral movement – SSO/browser session cookies, cloud service session tokens.
- [Marketplace Indicators ] Evidence of exposure and sale of access in underground markets – “infostealer logs”, “IAB advertisements” referencing corporate domains and industry-specific access.
- [Command-and-Control ] Stealer-related infrastructure referenced as CTI indicators – stealer-related C2 infrastructure (no specific IPs or domains disclosed in article).