Crooks are selling access to hacked networks. Ransomware gangs are their biggest customers

Dark web forum posts offering compromised VPN, RDP credentials and other ways into networks have tripled in the past year.
Written by Danny Palmer, Senior Writer

There's been a surge in cyber criminals selling access to compromised corporate networks as hackers look to cash in on the demand for vulnerable networks from gangs looking to initiate ransomware attacks

Researchers at cybersecurity company Group-IB analysed activity on underground forums and said there's been a sharp increase in the number of offers to sell access to compromised corporate networks, with the number of posts offering access tripling between 2020 and 2021. 

Crooks are claiming to offer access to compromised Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) login credentials, as well as web shells, reverse shells, Cobalt Strike penetration testing tools and more. 

SEE: A winning strategy for cybersecurity (ZDNet special report) 

With this access, cyber criminals can access a company's networks and attempt to gain access to usernames and passwords or administrator rights that allow them to gain further control over the network.  

On the underground forums being analysed, the number of offers to sell access to corporate networks went up from 362 to 1,099, a rise of three times in just a year and the report warns that increase is "one of the clearest trends on underground forums". 

Some of the most common industries to which access is being offered to include manufacturing, education, financial services and healthcare.  

The cost of access varies greatly and can sometimes be offered for a few thousand dollars – something a ransomware crew could make back many times over from a successful attack. But there's a direct correlation between access value and the victim's company revenue – the higher the revenue, the higher the price.   

One of the key reasons there's been an increase in sellers is because there's the demand that is being driven by the growth in ransomware attacks. Ransomware groups need access to networks and buying access is easier and less time consuming than compromising networks themselves. 

"Ransomware operators are the main "customers" of initial access brokers' (IAB) services," Dmitry Shestakov, head of cybercrime research at Group-IB told ZDNet. 

"This unholy alliance of IABs and ransomware operators as part of ransomware-as-as-a-service affiliate programs has led to the rise of the ransomware empire," he added. 

Another reason for the growth of initial access markets is because there is a relatively low skills threshold for engaging in this sort of cybercrime. These less sophisticated cyber criminals can use phishing attacks or buy off-the-shelf malware to steal information.

The report also suggests that gaining this initial access has got easier due to the rise in remote working as a result of the pandemic, which has resulted in many organisations unintentionally using insecure or misconfigured applications that cyber criminals can easily exploit. 

SEE: Hackers are turning to this simple technique to install their malware on PCs

And as long as there are insecure networks that can be accessed and a demand from other cyber criminals to buy access to those networks, the rise of the access broker market looks set to continue.

"We expect the number of brokers and initial access offers to grow. As the supply increases to meet the demand, we expect the price of initial access to corporate networks to decrease," said Shestakov. "Ransomware will remain the main way to monetize access to corporate networks because it provides the highest possible return on investment for IABs," he added. 

There are measures that organisations can take to help avoid cyber criminals breaching the network and gaining access to credentials.  

They include installing software updates and security patches on a regular and timely basis to protect against known vulnerabilities, encouraging the use of strong passwords that are difficult to breach in brute-force attacks and applying multi-factor authentication to accounts, so that if credentials are compromised, there's limited opportunities for attackers to exploit them. 


Editorial standards