Euro Security Watch with Mathew J. Schwartz

Cybercrime as-a-service , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Ransomware's Helper: Initial Access Brokers Flourish

High-Quality Access - via RDP, VPN, Citrix - Can Retail for $2,000, Kela Reports
Ransomware's Helper: Initial Access Brokers Flourish
A cybercrime forum seller promises multiple types and levels of access to a compromised U.S. organization's network. (Source: Kela)

To take down bigger targets more easily and quickly, ransomware gangs are increasingly tapping initial access brokers, who sell ready access to high-value networks.

See Also: OnDemand | The Cost of Underpreparedness to Your Business

On average, such access is sold for $1,500 to $2,000, says Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela.

"For such a sum, threat actors usually offer domain admin-type of access to medium-sized companies with hundreds of employees," she says.

Using initial access brokers enables attackers to avoid the time-consuming, laborious process of finding victims and attempting to hack them. Instead, they can see a menu of potential victims and pay for remote access credentials that are guaranteed to work.

Kivilevich writes in a new report from Kela that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million.

During that time frame, Kivilevich says, the average price per access was $6,684, the median price was $1,500 and the highest single price listed was 7 bitcoins, which at the time could have been worth about $130,000. But 24% of offers didn't list a price.

Two access offers for sale in the $1,500 to $2,000 price range (Source: Kela)

While the number of access offers being sold declined from month to month, Kivilevich says that many are now "being traded in private conversations," which makes it difficult to ascertain the quantity and selling price of everything that's being sold.

Types of Access

The most common types of access being sold - comprising 45% of what's publicly on offer - are credentials for remote desktop protocol or VPNs; details of a vulnerability in the victim's system that facilitates remote code execution, aka RCE; and access to Citrix products, Kivilevich says.

Using RDP or VPN to gain access, "an intruder can move laterally and eventually can succeed in stealing sensitive information, executing commands and delivering malware," she says. "The RCE vulnerability type of initial access is usually limited to the ability to run code using a specific vulnerability, which allows actors to pivot further within the targeted environment."

A seller lists RDP access, via ConnectWise, to a network that has 400 systems. (Source: Kela)

But in about half of all listings, initial access brokers don't specify what type of access they're selling - or they may just list the level of access that a buyer could gain, such as "admin or user, local or domain," she says. In other cases, brokers sell remote access to remote control software, such as ConnectWise and TeamViewer, running in a victim's organization, she says, "which provide actors with RDP-like capabilities."

Big Game Hunting

Security experts say demand for initial access brokers' services has been surging. Using these brokers can help gangs more quickly take down larger targets via what's known as big game hunting.

In 2018, the sum of all prices for access information being offered by initial access brokers was about $1.6 million and involved about 37 active sellers, says cybersecurity firm Group-IB. But by the first half of 2020, the sum of all such access being sold had increased to $6.2 million, with 63 active sellers. Of those, 52 had only begun selling access credentials in 2020, thus demonstrating an influx of new sellers.

Kela says that during Q4 2020, just 10 sellers appeared to account for nearly half of all initial access broker listings across three cybercrime forums.

More ransomware gangs, including ransomware-as-a-service operators, have shifted to big game hunting because of the return on investment that it offers. For about the same effort, hitting a larger target enables a ransomware operator to demand a bigger ransom.

Using initial access brokers helps facilitate that strategy. For example, ransomware incident response firm Coveware reported that in Q4 2020, the average ransom payment was $154,108. For many ransomware operations, which are run as profit-making illicit businesses, spending $2,000 for remote access to facilitate such a return is a no-brainer.

Average ransom amounts demanded by ransomware operators (Source: Group-IB, November 2020)

Building New Relationships

Historically, initial access brokers advertised their services on cybercrime forums and marketplaces. Some brokers appear to have long-term relationships with certain ransomware gangs, affiliates or middlemen, and offer them first right of refusal before making access offers available to others, Kela's Kivilevich says.

But late last year, she reported seeing a reversal: The Darkside ransomware operation posted that it was actively seeking new partners who could give it access to U.S. businesses with annual revenue of at least $400 million.

Post by Darkside operators to a Russian-language cybercrime forum (Source and translation: Kela)

Kivilevich said that was the first time she'd seen "ransomware operators offering initial access brokers the opportunity to directly trade with them" instead of leaving such relationships to "affiliates or other middlemen."

How Many Sales Happen in Private?

Beyond seeking to build partnerships, another trend has been discretion. Many initial access brokers only supply a full list of access offers, or prices, directly to potential buyers via private communications, rather than listing all of that information on cybercrime markets, she says.

"While such behavior always existed, there is a more recent trend that emerged these past couple of months - brokers often offer a bunch of accesses in one thread and request potential buyers contact them privately to get the whole list," according to Kivilevich. "Some of them are looking for one buyer and state that they’re ready to work for a percentage, most likely meaning a share from the amount gained in a successful ransomware attack."

Initial access brokers leave feedback for a buyer in a thread started by the buyer. (Source: Kela)

As ransomware gangs continue to innovate - including hiring more specialists and using data-leaking sites to pressure victims - so too do individuals who can provide them with remote access to juicy-looking targets. Thus the cybercrime-as-a-service ecosystem continues to evolve.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.