Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

We hear about ransomware all over the news. Companies lose millions to this threat each year, and the frequency of attacks only continues to rise. But what’s behind this surge in ransomware attacks, and how are cybercriminals getting in?

According to Mandiant, 40% of initial ransomware infections begin with cybercriminals exploiting stolen or compromised credentials. A prime example is the infamous Colonial Pipeline attack, where stolen VPN credentials allowed nation-state actors to severely disrupt one of the most important fuel supply networks in the United States.

Let’s explore exactly how attackers use stolen credentials to launch ransomware, and what you can do to protect your organization from such threats.

How Ransomware Gangs Acquire Stolen Credentials

We’ll start by understanding how ransomware gangs acquire company credentials in the first place. After all, aren’t login credentials considered “sensitive” data that companies rigorously protect? Unfortunately, even well-protected credentials can be vulnerable to theft and exploitation.

Most of the time, ransomware gangs acquire credentials leaked from previous breaches, available for sale or exchange on dark web marketplaces. This allows even less sophisticated threat actors to launch ransomware at scale, hence the increased frequency of attacks.

Attackers use automated tools to test large volumes of stolen usernames and passwords against various services and applications, increasing the probability of success.

Uber corporate credentials for sale on a popular dark web marketplace, which has since been taken down by authorities

To find out whether your company’s credentials are exposed to cybercriminals, try Twilight Cyber today.

However, if the ransomware group is targeting a specific organization, they have to get a little more creative. They might send phishing emails to their target to trick employees into handing over their login credentials, or infect their system with infostealer malware.

Based on our research, LummaC2 is the most popular infostealer at the moment, responsible for over 140,000 infections in February 2025 alone.

How Attackers Leverage Stolen Credentials

After the stolen credentials are obtained, it’s time to launch the attack.

By gaining access to legitimate credentials, ransomware gangs bypass many traditional security measures, which makes it easier to deploy ransomware. Before it gets there, the attack typically follows these stages:

1. Initial access: Criminals use stolen credentials to enter corporate networks through legitimate channels, evading suspicion from security systems designed to detect external threats.
2. Privilege escalation: With initial access secured, attackers escalate privileges within the network, aiming to gain administrative control.
3. Lateral movement: Attackers move across different systems within the network, leveraging legitimate credentials to blend in with normal traffic and evade detection.
4. Ransomware deployment: After establishing extensive access and control, ransomware is deployed, encrypting critical company data and systems, effectively paralyzing operations and forcing the company into a desperate position.

The Impact of Credential-Based Ransomware Attacks

Organizations don’t have a lot of options when faced with a ransomware threat, especially if it encrypts their critical data. Many agencies recommend not to pay the ransom, thinking along the lines of “Never negotiate with terrorists”.

However, the reality is a bit different, and companies face intense pressure to pay the ransom, driven by operational disruptions, potential data loss, and the high costs of prolonged downtime.

Source: Sophos

The financial losses go way beyond the ransom payment. The business downtime itself may cost more, along with remediation efforts. If the attack is severe, or the compromised data is customer-related, the reputational and loss of business costs are immeasurable, and may even lead to bankruptcy.

Failure to protect customer data can additionally result in severe regulatory penalties and lawsuits.

Protecting Your Company from Credential-Based Ransomware Attacks

Considering the devastating consequences ransomware attacks have on businesses, it’s crucial to be proactive in your approach to defending against them.

Here are some best practices you must prioritize:

• Multi-Factor Authentication (MFA): Implement MFA across all services and accounts to significantly reduce the effectiveness of stolen credentials.
• Regular employee training: Educate employees on recognizing phishing attempts and proper credential handling.
• Strong credential hygiene: Encourage regular updates to passwords and promote the use of unique, complex passwords across different platforms and services.
• Continuous dark web monitoring: Actively monitor the accounts associated with your organization to identify potential leaks before they result in a security incident. 

Monitor Your Credentials With Twilight Cyber

Twilight Cyber is a leading cybersecurity solution specializing in proactive dark web and stolen credentials monitoring. Our platform helps organizations detect infected machines and compromised credentials early, significantly reducing the risk of credential-based ransomware attacks.

We have unparalleled access into dark web marketplaces, forums, and illicit credential exchanges, enabling us to identify leaked or stolen company data swiftly and accurately. With this intelligence, your organization can respond rapidly, preventing unauthorized access and potential breaches before they escalate.

Our revolutionary approach eliminates the need for complex software installations and intrusive internal network monitoring, making it an efficient and user-friendly solution.

Try it now, or contact us for more details.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox