Ransomware attacks are on the rise and for the victims of these crimes, it is an expensive problem. For actors on the other side, however, the trend offers new ways of making money. One example of this is the role of the initial access broker.

The most profitable ransomware attacks can only be carried out by first accessing a secure network and cybercriminals don't always have the ability to achieve this. Instead, they may purchase the necessary access from a broker.

So what are initial access brokers and how can you protect against them?

What Are Initial Access Brokers?

An illustration of an attack code

Initial access brokers are malicious actors that provide access to secure networks for a fee. They are often hackers but may also gain access to networks using social engineering.

Their motivation is not to carry out cyberattacks themselves but rather to sell the access to another party. Due to the profitability of ransomware attacks and other cyberattacks, there are many potential buyers for such a product.

This allows initial access brokers to make significant profits despite only playing a small role in cybercrime as a whole.

How Initial Access Brokers Gain Access

Initial access brokers use a variety of techniques to enter secure networks. If a network utilizes outdated software, hackers may be able to break in quickly. They can also attempt to figure out user credentials using brute force techniques such as password spraying. Or they may try phishing, or spear phishing, attacks against known users.

What Types of Access Do They Sell?

Man Operating Computer in Dark Room

Initial access brokers primarily sell user credentials. Once obtained, they allow the holder to access a network in the same way as a legitimate user.

User credentials are primarily sold for remote desktop protocols and VPNs. Some initial access brokers also take the idea further by installing remote management software on compromised servers. Credentials for that software are then sold on providing convenient access.

After purchasing credentials, an attacker is able to look for valuable information, possibly disable security features, and potentially install any program that they like. In other words, the credentials can be used to initiate a wide range of cyberattacks.

Who Buys From Initial Access Brokers?

Initial access brokers primarily sell to ransomware operators. They sell to the highest bidder and ransomware tends to be the most profitable way to use their product. But initial access can also hold value to other parties. If a server has confidential information, user credentials may be purchased for the purposes of obtaining it.

Initial access brokers sell their products on dark web marketplaces. Their product pages include information such as the type of server, the level of access, and the revenue of the company that the server belongs to. This allows cybercriminals intent on a specific type of cyberattack to easily find suitable credentials for that purpose.

The price of initial access varies from less than a hundred dollars to many thousands. Credentials are typically priced based on the revenue of the company that owns the network.

How Initial Access Brokers Cause a Rise in Ransomware Attacks

Photo of a hacker sitting at a computer

Ransomware isn't a complicated software product. It's also widely available to purchase on the dark web. Many ransomware operators are not expert hackers. They are ordinary people in possession of a powerful tool.

The ability to make money from ransomware is therefore not dictated by technical ability or even access to software. It is limited by the fact that finding networks to carry out attacks on is difficult.

Large organizations spend large amounts of money securing their networks for exactly this purpose. Breaking through therefore requires a lot of effort and many infiltration attempts prove unsuccessful.

Initial access brokers remove this barrier to entry. They set up shop and announce that they've already done all of the hard work. For a small fee (in comparison to the potential profits), anyone can access the network of an otherwise professional organization.

code locked by ransomware

This has significant effects on the ransomware industry as a whole.

It offers an efficient division of labor allowing all parties to focus on what they do best. Hackers can monetize their ability to access networks quickly and ransomware groups are able to focus exclusively on the extortion side.

It also allows individuals with limited technical expertise to carry out attacks without actually learning anything. Ransomware is often sold with both user instructions and customer support. Initial access brokers then provide the user credentials necessary to profit from it.

Another issue with initial access brokers is that they add another layer to the ransomware industry. If the perpetrator of a ransomware attack is prosecuted, the initial access broker who provided access is unlikely to be prosecuted and vice versa. This makes the prosecution and prevention of ransomware attacks more difficult as a whole.

How to Protect Against Initial Access Brokers

a protected computer network

Initial access brokers don't target private individuals, it's simply not profitable to do so. Instead, they target businesses. If you're in charge of a potentially valuable network, there are many steps that you can take to make access more difficult.

  • All software should be kept updated with patches being installed immediately upon release. This prevents malicious actors from exploiting known vulnerabilities.
  • Anyone with access to a network should be thought about the threat posed by both phishing and spear phishing emails.
  • The use of strong passwords should be enforced among all users. Users should also be prevented from using the same password in multiple accounts.
  • The use of multi-factor authentication should be enforced. If access to a network requires an additional form of authentication, stolen user credentials are rendered ineffective.

Initial Access Brokers Are an Important Threat to Be Aware Of

Initial access brokers are an important threat for businesses to be aware of. Once they gain access to a network, they advertise the opportunity on the dark web and hand the credentials to the highest bidder.

This provides the buyer with the ability to steal information or install ransomware which requires a significant financial outlay to fix.

To prevent this type of intrusion, it's important to keep networks secure by updating software regularly and making sure that all users are acting responsibly.