Get The Latest Insights

By Jessica Ellis | November 15, 2021

Ransomware continues to grow as a thriving underground economy with limited risk and little barrier to entry. Ransomware attacks are supported by a robust ecosystem of dark web services, where many of the tasks needed to carry out an attack can be outsourced. These tasks are increasingly available and sold by threat actors who specialize in them.

In this post, we take a look at Initial Access Brokers (IABs), commonly sought-after ransomware affiliates that sell access to compromised networks.

Who Are Initial Access Brokers

Conducting business with an IAB saves ransomware operators the time and resources they would otherwise use trying to compromise a vulnerable network. Working with an IAB allows them to focus on executing their attacks as well as managing partnerships that will aid in more sophisticated and often risk-free campaigns.

While IABs did exist before the pandemic-driven shift to remote work, the increased use of remote access collaboration (RAC) tools by enterprises has made it easier for IABs to thrive. IABs sell remote access to compromised systems. After a system has been compromised, IABs will indiscriminately sell varying degrees of access to bad actors, including ransomware operators.

The rise in RaaS, and the underground markets that serve them, also make it increasingly difficult for authorities to apprehend IABs connected to any given attack. This lack of accountability makes the role of an IAB a desirable one, as compromised networks (as well as the tools and services used to execute an attack) become more widely-available to buyers.

How Initial Access Brokers Work

IABs use various methods to build their inventory of access points into corporate networks. Common tactics include:

  • Exploiting vulnerabilities in remote access tools (such as Remote Desktop Protocol and Virtual Private Network applications)
  • Using phishing attacks to steal user or administrator credentials
  • Using phishing attacks to deploy malware on user endpoints
  • Mining credential dumps for corporate user accounts
  • Using “password spraying” to compromise accounts using common or known username/password combinations

Advertising Strategies

Initial Access Broker on Russian XSS Forum

Once an organization’s credentials are validated and they have confirmed access to the network, IABs will advertise details of the target to potential buyers on the Dark Web, often without naming them directly for fear of being detected by security researchers or authorities.

IABs will also include the level of access that is available as well as the market valuation. The market valuation is particularly significant to ransomware operators when evaluating what they could reasonably demand from the victim.

More recently, IABs are shifting to conduct business via private conversations versus public-facing chat rooms on the Dark Web. This is the result of two factors:

  • Stealth: Increased pressure from law enforcement to crack down on ransomware families and their affiliates is causing IABs to conduct business with added caution. Multiple RaaS groups, most recently the Black Matter family, have dismantled their infrastructures to avoid being apprehended. These actors often re-emerge later and resume their activity under new family names.
  • Job Opportunities: The value IABs bring to RaaS models is causing ransomware operators to proactively seek out IABs about their offerings before they promote access to the public. RaaS operators are even going as far as to put reputable IABs on their payroll.

In addition to the minimal price tag, the critical access to systems that an IAB provides makes their services enticing to ransomware operators, especially those with limited resources. The average ransomware payment continues to increase, and with demands nearly reaching $140,000 in Q3, we can expect the demand for IABs will only grow.

What Can Enterprises Do About IABs?

For most enterprises, the risk posed by IABs can be managed by minimizing opportunities these actors have to compromise access points and sourcing threat intelligence that detects when threat actors are marketing access into their networks. Specific initiatives should include:

  • Identifying and remediating remote access vulnerabilities
  • Detecting and mitigating phishing campaigns and credential theft attacks that target enterprise accounts
  • Monitoring dark web marketplaces and chat services where access to corporate networks is marketed
  • Mining credential dumps and resetting leaked enterprise credentials

Contact PhishLabs to learn more.