Ransomware's Helper: Initial Access Brokers FlourishHigh-Quality Access - via RDP, VPN, Citrix - Can Retail for $2,000, Kela Reports
To take down bigger targets more easily and quickly, ransomware gangs are increasingly tapping initial access brokers, who sell ready access to high-value networks.
See Also: Threat Horizons Report
On average, such access is sold for $1,500 to $2,000, says Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela.
"Some of them are looking for one buyer and state that they’re ready to work for a percentage, most likely meaning a share from the amount gained in a successful ransomware attack."
"For such a sum, threat actors usually offer domain admin-type of access to medium-sized companies with hundreds of employees," she says.
Using initial access brokers enables attackers to avoid the time-consuming, laborious process of finding victims and attempting to hack them. Instead, they can see a menu of potential victims and pay for remote access credentials that are guaranteed to work.
Kivilevich writes in a new report from Kela that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million.
During that time frame, Kivilevich says, the average price per access was $6,684, the median price was $1,500 and the highest single price listed was 7 bitcoins, which at the time could have been worth about $130,000. But 24% of offers didn't list a price.
While the number of access offers being sold declined from month to month, Kivilevich says that many are now "being traded in private conversations," which makes it difficult to ascertain the quantity and selling price of everything that's being sold.
Types of Access
The most common types of access being sold - comprising 45% of what's publicly on offer - are credentials for remote desktop protocol or VPNs; details of a vulnerability in the victim's system that facilitates remote code execution, aka RCE; and access to Citrix products, Kivilevich says.
Using RDP or VPN to gain access, "an intruder can move laterally and eventually can succeed in stealing sensitive information, executing commands and delivering malware," she says. "The RCE vulnerability type of initial access is usually limited to the ability to run code using a specific vulnerability, which allows actors to pivot further within the targeted environment."
But in about half of all listings, initial access brokers don't specify what type of access they're selling - or they may just list the level of access that a buyer could gain, such as "admin or user, local or domain," she says. In other cases, brokers sell remote access to remote control software, such as ConnectWise and TeamViewer, running in a victim's organization, she says, "which provide actors with RDP-like capabilities."
Big Game Hunting
Security experts say demand for initial access brokers' services has been surging. Using these brokers can help gangs more quickly take down larger targets via what's known as big game hunting.
In 2018, the sum of all prices for access information being offered by initial access brokers was about $1.6 million and involved about 37 active sellers, says cybersecurity firm Group-IB. But by the first half of 2020, the sum of all such access being sold had increased to $6.2 million, with 63 active sellers. Of those, 52 had only begun selling access credentials in 2020, thus demonstrating an influx of new sellers.
More ransomware gangs, including ransomware-as-a-service operators, have shifted to big game hunting because of the return on investment that it offers. For about the same effort, hitting a larger target enables a ransomware operator to demand a bigger ransom.
Using initial access brokers helps facilitate that strategy. For example, ransomware incident response firm Coveware reported that in Q4 2020, the average ransom payment was $154,108. For many ransomware operations, which are run as profit-making illicit businesses, spending $2,000 for remote access to facilitate such a return is a no-brainer.
Building New Relationships
Historically, initial access brokers advertised their services on cybercrime forums and marketplaces. Some brokers appear to have long-term relationships with certain ransomware gangs, affiliates or middlemen, and offer them first right of refusal before making access offers available to others, Kela's Kivilevich says.
But late last year, she reported seeing a reversal: The Darkside ransomware operation posted that it was actively seeking new partners who could give it access to U.S. businesses with annual revenue of at least $400 million.
Kivilevich said that was the first time she'd seen "ransomware operators offering initial access brokers the opportunity to directly trade with them" instead of leaving such relationships to "affiliates or other middlemen."
How Many Sales Happen in Private?
Beyond seeking to build partnerships, another trend has been discretion. Many initial access brokers only supply a full list of access offers, or prices, directly to potential buyers via private communications, rather than listing all of that information on cybercrime markets, she says.
"While such behavior always existed, there is a more recent trend that emerged these past couple of months - brokers often offer a bunch of accesses in one thread and request potential buyers contact them privately to get the whole list," according to Kivilevich. "Some of them are looking for one buyer and state that they’re ready to work for a percentage, most likely meaning a share from the amount gained in a successful ransomware attack."
As ransomware gangs continue to innovate - including hiring more specialists and using data-leaking sites to pressure victims - so too do individuals who can provide them with remote access to juicy-looking targets. Thus the cybercrime-as-a-service ecosystem continues to evolve.