Security Week: “Like an inverted pyramid, the range of different attack modes are now built on top of the single point of identity abuse. Stolen credentials are a major threat. Legitimate credentials illegitimately acquired provide legitimate access to illegitimate actors. Once inside the network, these bad actors have greater ability to move and act in stealth. The continuing rise in ransomware attacks bears testament. The theft and resale of credentials operates on an industrial scale. Fueled by the rise of increasingly more sophisticated infostealers, stolen credentials are packaged into ‘logs’ and sold to criminals on the black market. Ontinue reports, “Listings tied to LummaC2 alone surged by 72%, with high-privilege cloud console credentials selling for $1,000–$15,000+.” Ransomware has been one of the primary beneficiaries of stolen credentials. More than 7,000 incidents and 129 active groups were tracked through 2025. At the same time, ransom payments decreased slightly from $892M in 2024 to $820M in 2025. This apparent contradiction is actually logical. “Larger targets, with larger payout potential, will have seen the most aggressive corporate investment (process and technology) mitigating exposure to this attack pattern,” explains Trey Ford, chief strategy and trust officer at Bugcrowd. These larger targets are also more susceptible to government pressure to not pay ransoms, and ransomware income has consequently declined. The ransomware groups have responded with more attacks demanding smaller payments from more but smaller companies.  These bad actors have simultaneously increased the pain threshold. Theft of data for blackmail has been growing for several years but is now often supplemented with operational disruption. “Beyond encrypting endpoints, attackers disrupt the ability to operate by wiping systems, deleting backups, sabotaging virtualization, attacking OT/ICS-adjacent services, or breaking identity/administration planes.”…