Learn About the Most Active Ransomware Group, Initial Access Methods, and the Arduous Task of Sifting through Threat Intelligence

In this interview, Itsik Kesler, the Chief Technology Officer at KELA, highlighted the importance of creating forward-thinking designs for the best integration experience. 

Kesler spoke about a platform’s capability to handle massive datasets without friction, and the difference between parsing data from a ransom blog to an infostealer ZIP file. 

He detailed the process of filtering dark web data to avoid disinformation and the herculean task performed daily, including monitoring of 71,925 hacking discussions, 111,018 telegram messages, 14,622,707 compromised accounts from credentials files, and more.

Read on to know the most used initial access method, which ransomware group surpassed LockBit, the importance of time in threat detection, and what Kesler learned from his background in the Israel Defense Forces.

Vishwa: Please tell us about your journey to KELA and how your service to the Israel Defense Forces changed you. Did the service encourage you to work towards fostering security?

Itsik: I joined KELA seven years ago to lead engineering—overseeing everything from large-scale data collection to building the applications that transform that data into actionable intelligence. Across both ends of this spectrum, I have helped navigate complex challenges, from scaling our infrastructure to handling vast volumes of threat data efficiently.

On the infrastructure side, we have been focused on building a flexible, scalable system capable of pulling data from hundreds of diverse sources simultaneously. This requires forward-thinking design to ensure we can quickly integrate new sources as our analysts identify them.

On the application side, the challenge lies in balancing usability with powerful capabilities, while ensuring performance at scale. Our platforms must be intuitive yet robust enough to handle massive datasets without compromise.

My background in the Israel Defense Forces shaped my approach to solving tough problems. I learned never to assume something is impossible. Instead, we ask, “How can this be done?” Our motto was: “Knowledge, desire, and dedication make the impossible possible.” I’ve seen that mindset work time and time again—both in the military and here at KELA.

At KELA, that same spirit drives us. Whether it’s working under tight timelines or navigating the challenges of scale, we constantly push boundaries to deliver the best solution on the market. 

Knowing we’re helping organizations defend themselves against real-world threats gives our work meaning—and motivates us to keep raising the bar.

Vishwa: What is the speed or time at which KELA detects an incoming threat? We are keen to learn about the features of the security solutions employed by the firm.

Itsik: In cybersecurity, speed is everything. The window between a threat actor exposing sensitive information and that data being exploited is often extremely short. That’s why KELA focuses on near real-time threat detection—collecting, parsing, and analyzing data from diverse sources as quickly and efficiently as possible, so actionable insights are available promptly to our clients.

The collection and analysis process varies depending on the source. For example, parsing data from a ransom blog focuses on extracting key identifiers, while analyzing infostealer ZIP files requires automatically extracting and analyzing the technical content within those files. 

This demands a flexible, intelligent system capable of adapting to different data formats and threat types. 

The need for rapid detection is only growing as cybercriminal tactics become more sophisticated. Staying ahead requires continuous innovation in how threats are detected and prioritized. At KELA, our goal is to empower organizations with timely, accurate intelligence to anticipate emerging threats and safeguard their digital assets.

Vishwa: How does KELA filter false claims on the dark web while accessing real-time threat intelligence? What is the process of filtering threat intelligence? How does the team verify facts?

​Itsik: KELA employs a multifaceted approach to ensure the accuracy and reliability of its real-time threat intelligence, effectively filtering out false claims from the dark web.​ It does so through the following:

Automated Data Collection and Analysis: KELA's technology continuously gathers data from hard-to-reach cybercrime sources, including closed hacking forums and markets Telegram groups, and other platforms. This extensive collection is analyzed in real-time, allowing for immediate detection of false claims based on the extensive data lake the information can be compared to. 

This is especially critical in an era where fake Ransomware-as-a-Service (RaaS) groups exploit fear and uncertainty in underground spaces. As KELA detailed in "New Phone, Who Dis?", threat actors often fabricate their capabilities or reuse old data to create the illusion of new, active threats. Without proper validation, organizations risk responding to non-existent risks while missing actual dangers.

Advanced Filtering and Contextualization: The platform utilizes sophisticated filtering mechanisms to sift through vast amounts of data, highlighting relevant threats while discarding noise and misinformation. By providing contextualized intelligence into attackers' tactics, techniques, and procedures (TTPs), KELA ensures that the information is actionable and pertinent.

Expert Human Analysis: Beyond automated processes, KELA's Cyber Intelligence Center comprises seasoned analysts who scrutinize collected data to validate the credibility of threats. This human expertise is crucial in distinguishing between genuine threats and exaggerated or false claims often found in cybercriminal chatter. 

As highlighted in "Ain’t No Actor Trustworthy Enough", misinformation runs rampant in cybercriminal spaces, where actors manipulate narratives to mislead researchers, competitors, or even fellow criminals. KELA analysts cross-reference intelligence across multiple underground sources, exposing inconsistencies and preventing the spread of disinformation.

Continuous Monitoring and Verification: KELA’s solutions offer continuous monitoring of the cybercrime underground, enabling the detection of emerging threats and the validation of ongoing ones. 

This is particularly important in the context of high-profile incidents, such as the "OpenAI breach", where cybercriminals made conflicting claims about compromising major AI infrastructure. By analyzing not just the claims but also the surrounding discussions, attack vectors, and historical behaviors of involved actors, KELA ensures that intelligence remains current and accurate.

By integrating automated technologies with expert human analysis, KELA effectively filters out false claims and delivers reliable, actionable threat intelligence to its clients.​

This approach prevents security teams from chasing misinformation and instead enables them to focus on real, verifiable threats.

Vishwa: Could you provide details about the number and kinds of cyber attack claims, chats, and extortion updates detected by KELA’s team daily?

​Itsik: KELA's cyber intelligence platform monitors a vast array of cybercrime sources daily, including dark web forums, ransomware blogs, and instant messaging channels like Telegram. 

Through this extensive surveillance, in the past year, KELA tracked more than 5000+ ransomware victims, over 4.3 million infostealer-infected machines, and nearly 5 billion compromised credentials.

Looking at daily numbers, over the last year, KELA analyzed a daily average of:

• 71,925 hacking discussion results, 21.5% of those are ransom victim posts.
• 111,018 telegram messages.
• 1,398,200 bot credentials out of 3,710 new infected machines.
• 14,622,707 daily compromised accounts from credentials files

Vishwa: What are the most often used attack vectors, tools, and techniques cybercriminals employ for successful breaches? Is there a difference between how they target the highly secure infrastructure of financial organizations as compared to lesser secured charitable organizations?

​Itsik: Cybercriminals employ a variety of attack vectors, tools, and techniques to breach organizations. According to our "State of Cybercrime 2025" report, infostealer malware has emerged as a predominant initial access method. In 2024, KELA tracked over 4.3 million infected machines globally, leading to more than 330 million compromised credentials. 

These stolen credentials often serve as gateways for further malicious activities, including ransomware attacks and data breaches.

Additionally, ransomware operations have intensified, with over 5,230 victims reported in the same year. Notably, the RansomHub ransomware group surpassed LockBit as the most prolific actor, indicating a shift in the ransomware landscape. ​

Also of note, over the past year, we saw a rise in AI-powered attacks. KELA observed the rise of jailbreak techniques, a growing threat to AI-driven organizations, enabling users to bypass safety measures, generate harmful content, and access unauthorized data. 

In fact, the mentions of “jailbreaking” in underground forums surged by 50% in 2024, signaling a growing threat to organizations worldwide.

From an attack vector perspective, and looking specifically at the MITRE ATT&CK® framework, some of the most commonly exploited techniques include:

• Valid Accounts (T1078) – Threat actors frequently leverage stolen or compromised credentials to gain initial access, bypassing traditional security controls.
• Phishing (T1566) – A persistent and highly effective attack method that deceives individuals into revealing sensitive information or downloading malware.
• Supply Chain Compromise (T1195) – Increasingly used to infiltrate organizations through trusted third-party vendors, making detection and mitigation more complex.

When comparing the targeting strategies between highly secure financial institutions and charitable organizations, we can see both similarities and differences in the threat actors’ tactics and approaches. 

Financial organizations typically invest heavily in advanced cybersecurity measures, prompting attackers to employ sophisticated techniques such as exploiting zero-day vulnerabilities or orchestrating complex social engineering schemes to infiltrate these fortified environments. 

In contrast, charitable organizations often operate with limited resources, leading to potentially outdated systems and insufficient cybersecurity training. This makes them more susceptible to common attack methods like phishing, where attackers deceive individuals into revealing sensitive information or installing malware.

However, it’s important to note that regardless of the type of organization, its size, or its demographic, we do see threat actors leveraging infostealers, ransomware, and phishing as part of their arsenals.

Vishwa: What are your observations and predictions about the most active and aggressive cybercriminals this year?

Itsik: In 2025 we are already seeing advancements in attacker strategies while cybercrime-as-a-service and collaboration among threat actors lowering the barrier to entry for malicious activities on the other hand. 

Adversaries, from financially motivated actors to hacktivists and nation-state groups, are exploiting AI and emerging technologies to enhance the scale and impact of their attacks, with a focus on supply-chain vulnerabilities, critical infrastructure, and open-source ecosystems.

Looking ahead, we expect to see:

• Infostealers maintain their role as a primary access vector, fueled by MaaS platforms and sophisticated distribution channels.
• Ransomware actors relying heavily on RaaS models and exploring new monetization strategies.
• Greater exploitation of vulnerabilities, particularly in widely used platforms and systems.
• A continuation of hacktivist activities, influenced by geopolitical events and enabled by emerging technologies.
• APT groups continue to blur lines between cybercrime and state-sponsored activities, leveraging financial extortion to fund geopolitical objectives and target critical infrastructure, as well as conducting influence and espionage campaigns in light of global events.
• Expanding misuse of LLMs, with a focus on deepfakes, backdoored models, and adversarial attacks.

Vishwa: Several hacktivist groups are collaborating in the name of social causes and launching DDoS attacks. What is your observation about the motives, need for alliances, and source of funding that help them sustain and target the most sophisticated and advanced infrastructure?

Itsik: Hacktivist groups today operate with increasing coordination, leveraging alliances to amplify their impact and sustain long-term operations. Unlike traditional cybercriminals motivated by financial gain, these groups are driven by ideological, political, or social causes, often aligning themselves with geopolitical conflicts or major global events. Their motives range from disrupting government operations and corporations to making political statements against perceived injustices.

The need for alliances stems from the nature of modern cyber operations. Successful Distributed Denial-of-Service (DDoS) attacks, for example, require significant resources, including botnets, infrastructure, and technical expertise. By forming coalitions, hacktivist groups can pool their capabilities, share intelligence, and coordinate attacks to maximize disruption. This collaboration also helps them adapt quickly to countermeasures deployed by their targets.

As for funding, it varies widely. Some groups receive indirect support from nation-states that see hacktivism as a tool for asymmetric warfare. Others rely on cryptocurrency donations, crowdfunding, or even illicit activities such as ransomware to finance their infrastructure. Additionally, underground cybercrime forums provide a marketplace where these groups can acquire and sell attack tools, proxies, and botnets on a pay-as-you-go basis, making their operations more scalable and efficient.

At KELA, we continuously monitor these evolving threats, tracking their tactics, tools, and communications across the deep and dark web. In 2024, we saw that hacktivist activity was specifically amplified by geopolitics, with over 200 new hacktivist groups emerging, conducting more than 3,500 DDoS attacks. By digging deeper and understanding their infrastructure and alliances, we help organizations strengthen their defenses against politically and ideologically driven cyber threats.

As a recent example, KELA identified a new hacktivist alliance, Anonymous Commando Unit, which emerged on Telegram on March 13, 2025. The group was founded by a known figure involved in DDoS attacks, data leaks, selling malicious tools, and collaborating with other hacktivist groups. 

Anonymous Commando Unit appears to have been created in response to Telegram’s ongoing crackdown on hacktivist accounts, likely as an effort to regroup and maintain operations. KELA provides customers with specific details on their recruitment and operations. As with Anonymous Commando Unit and other hacktivist groups, KELA continues to monitor developments within the hacktivist ecosystem and flag necessary information as appropriate.

Vishwa: Is there a tip that you would like to give our readers or businesses to help maintain security and avoid falling victim to cyber attacks like ransomware? Is there a best practice checklist that you would like to share with us?

Itsik: Remember, your attack surface is no longer about perimeter security — it’s about knowing what the attackers know about you.

You need a robust identity security platform like KELA Identity Guard, to get this vantage point. I recommend everyone read The Complete Guide to Combating Ransomware.