Ransomware operators love them: Key trends in the Initial Access Broker space

In a threat actor's mind, take out the legwork, reap the proceeds of blackmail.

The Initial Access Broker market continues to expand, with fees a drop in the ocean in comparison to the potential rewards of a successful ransomware attack. 

Initial Access Brokers (IABs) are individuals or groups who have managed to quietly obtain access to a corporate network or system through means including, but not limited to, stolen credentials, brute-force attacks, or by exploiting vulnerabilities. 

In recent years, ransomware-as-a-service (RaaS) groups have taken an interest in these brokers, as by employing them directly or paying them a fee in return for access to a target system, they are able to avoid the first step of intrusion: the time-consuming process required to find a vulnerable endpoint. 

On Monday, cybersecurity firm KELA published a report exploring the Initial Access Broker market and found that the average cost of network access was $5,400, while the median price was $1,000. 

When you consider today's ransomware demands are reaching millions of dollars, from a criminal's perspective, this is a small price to pay. 

The team examined over a thousand listings in dark web underground forums from July 1, 2020, to June 30, 2021, and found that initial access ads included a range of network and compromised account-based offerings -- such as remote access to a computer in an organization -- as well as domain-level privilege account access and both RDP and VPN-based remote access. 

In total, 25% of the listings were posted by brokers. 

Unsurprisingly, the most valuable offers -- and, therefore, earning the top prices -- were initial access services offering domain-level privileges in companies boasting hundreds of millions of dollars in revenue. 

The most expensive initial access services were for an Australian company generating an annual revenue of $500 million for 12 Bitcoin (BTC), or roughly $478,000 -- and access to an IT company in the United States, through ConnectWise, for 5 BTC ($200,000). 

Access to small companies may cost as little as $200.

"While some actors are ready to work for a percentage (a share from the amount gained in a successful ransomware attack), the majority of IAB prefer to stick to fixed prices," KELA says.

It should also be noted that as a string of high-profile ransomware attacks -- including Kaseya and Colonial Pipeline -- has put law enforcement and governments on notice, some brokers are moving from public adverts to private conversations with RaaS groups. 

As the bottom line is at the heart of this business model, even if their services are not purchased, some Initial Access Brokers were linked to data theft -- potentially in order to sell stolen records in bulk as an alternative revenue stream. 

Top impacted countries included the United States, UK, Australia, France, and Canada. 

The report does note that there seems to be some form of honor among thieves -- with few ads found that relate to healthcare systems, such as those operated by hospitals. 

"IABs have become professional participants of the RaaS economy," KELA says. "They constantly find new initial access vectors, expanding the attack surface, and follow their customers' demands."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0