No Time to Read? Listen here:

Over 4.3 million machines infected. Nearly 5 billion compromised credentials. Infostealer malware is flooding dark web markets with logins to cloud platforms, email, remote tools–and even corporate networks. It’s a cybercriminal’s dream, and your nightmare if you’re not prepared.

These types of breaches aren’t isolated events, but rather they’re a symptom of an industrialized cybercrime ecosystem. Threat actors don’t just act on opportunity; they buy access, tools, and intelligence. That’s why the Threat Intelligence market isn’t a luxury or a niche; it’s foundational. Whether you're defending against ransomware, preventing account takeovers, or investigating third-party risks, access to timely, contextual threat intelligence is what separates reactive teams from resilient ones.

 Threat intelligence empowers security teams to detect, analyze, and respond to threats before damage is done. This blog breaks down what it is, why it matters, and how KELA delivers intelligence that makes a difference.

Defining Threat Intelligence 

According to Gartner®: "The security threat intelligence products and services” market refers to the combination of products and services that deliver knowledge (context, mechanisms, indicators, implications and action-oriented advice), information and data about cybersecurity threats, threat actors and other cybersecurity-related issues. The output of these products and services aims to provide or assist in the curation of information about the identities, motivations, characteristics and methods of threats, commonly referred to as tactics, techniques and procedures (TTPs). The intent is to enable better decision making and improve security technology capabilities to reduce the likelihood and impact of a potential compromise."

Why Threat Intelligence Platforms Are Critical

Infostealer Epidemic

Infostealer malware has emerged as a significant threat, silently harvesting sensitive information from infected systems. In 2024 alone, KELA saw a 266% increase in infostealer activity. Attackers leverage these credentials to fuel sophisticated ransomware campaigns and large-scale data breaches. Notably, just three malware families—Lumma, StealC, and Redline—accounted for 75% of infections.

These stolen credentials are often sold on cybercrime forums, providing threat actors with easy access to corporate networks. For instance, KELA observed several instances where compromised credentials to Change Healthcare-owned resources, gained through information-stealing malware, were offered for sale or leaked on cybercrime platforms, potentially facilitating subsequent ransomware attacks.

Initial Access Brokers (IABs)

Initial Access Brokers play a pivotal role in the cybercrime ecosystem by selling unauthorized access to compromised networks. These brokers exploit vulnerabilities, use stolen credentials, or deploy phishing campaigns to infiltrate corporate networks, subsequently selling access to ransomware gangs.

 In a recent example in 2024, researchers uncovered that a newly emerged Ymir ransomware was deployed following initial access gained via RustyStealer, an infostealer malware. RustyStealer harvested credentials and enabled lateral movement across victim networks using tools like PowerShell and WinRM. Once attackers established control, they deployed Ymir ransomware, designed to run entirely in memory to avoid detection.

 This attack chain illustrates the growing reliance on infostealer-fueled initial access, where threat actors acquire footholds through credential theft before handing off or transitioning into full-scale ransomware operations.

Ransomware Attacks

Ransomware attacks have evolved into sophisticated operations that not only encrypt data but also threaten to release sensitive information. Between May 2023 and May 2024, KELA tracked over 5,000 victims of ransomware and extortion actors, with the majority from the US, UK, Canada, Germany, and France.

 A notable example is the attack on Nissan Australia by the Akira ransomware group. In December 2023, Akira claimed to have compromised Nissan Australia, stealing 100GB of data. By March 2024, Nissan confirmed that approximately 100,000 individuals were impacted, with various forms of government identification compromised. KELA's research suggests that Akira often purchases initial access via compromised VPN credentials, indicating that the Nissan breach may have originated from such a purchase.

 Another significant incident involved Black Basta's attack on ZircoDATA, an Australian technology company, in February 2024. Prior to the attack, Remote Desktop Protocol access to the company was offered for sale by a threat actor, potentially facilitating the breach. The attack resulted in the theft of 395GB of data, including sensitive documents from Monash Medical Center and Melbourne Polytechnic.

How KELA’s Platform Stacks Up

KELA offers cybercrime threat intelligence solutions that provide actionable insights to organizations to combat the infostealer epidemic that’s fueling ransomware attacks. By continuously monitoring cybercrime sources, threat actor communications, and other intelligence resources, KELA's platform enables organizations to detect and mitigate threats proactively.

The platform's capabilities include:

• Full Visibility - Gain complete visibility into all your organization’s exposed assets and their vulnerabilities.
• Early Detection - Detect compromised computers, valid accounts and services early on and block attacks at their source.
• Brand Protection - Take down phishing domains and impersonate social network accounts easily.
• Third-Party Risk Reduction - Uncover vulnerabilities, leaks, and threats related to vendors and partners before attackers exploit them.
• Dark Web Monitoring - Gain critical insights from hard-to-reach dark web sources and closed forums to accelerate investigations and build stronger cases against cybercriminals.
• Automate and Integrate - Automatically quarantine compromised assets, suspend accounts, and enrich your current SOC tools with free integration.
• Agentic, Always-On Cyber Defense - 24/7 Digital Cyber Analysts are trained on KELA’s vast threat intelligence data lake and expert methodologies.

KELA’s Cybercrime Intelligence Platform has a 5/5 rating on Gartner Peer Insights™ as of June 16, 2025 based on 18 ratings (in just the last 12 months). We believe that feedback from KELA customers highlights the meaningful data, the deepest access to the cybercrime underground, and great customer support. A few recent highlights:



By providing actionable insights into cyber threats, facilitating proactive threat detection, and enhancing incident response capabilities, platforms like KELA's play a critical role in modern cybersecurity strategies. Learn more about KELA’s platform and how you can prevent the source of up to 96% of cyber attacks.

Gartner and Peer Insights are trademarks of Gartner, Inc. and/or its affiliates. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content, nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.