Digital Shadows released new research into a group of cybercriminals who are essential to the profitability of ransomware, but who are also often overlooked: initial access brokers. Initial access brokers gain remote access to vulnerable organizations, which an end-purchaser of ransomware or RaaS can then leverage to wreak havoc.

According to the Digital Shadows research, once they find their way in, initial access brokers poke around the network, at times attempting to escalate privileges or move laterally to access more information. They manage and organize their access, tailoring it into a presentable product, and determine how much money they could get in the criminal market. At this point, our internal access broker visits their favorite criminal forum and creates a thread advertising the access with prices typically between $500 to $10,000. Listings are customer agnostic; the goal is to make money, so whoever wants to buy their access (e.g. nation-state APT, financially motivated groups, data brokers) can have it.

"Once the access is acquired, the purchaser can conduct additional network reconnaissance and utilize the access for whatever they intend. A likely non-exhaustive list would encompass ransomware, espionage, flip it for more money, move laterally, escalate privileges, or live on the network inconspicuously, taking advantage of Living off the Land (LotL) methods," writes threat intelligence team lead Alec Alvarado. "Once the broker has gained access, and they are ready to list it, they’re faced with a dilemma. They can demonstrate the value of their access to gain more attention and likely increase interest, resulting in a higher auction outcome. However, this option could be problematic; if they give away too much information, security researchers may identify the victim and kill the access, ruining their hard work." 

Some brokers play it safe by using Zoominfo, a site that maintains business-to-business (B2B) information on organizations globally, which collects details such as company revenue and employee count. Brokers can leverage these details and even go as far as referencing Zoominfo in their listings to better advertise their listings without giving away the company's name. 

"Coming full circle, the question is: How can an organization operationalize this information? Ideally, with this information in hand, organizations can stop a ransomware infection at a critical point in the attack chain - where the broker advertises their access," writes Alvarado. 

For the full blog, please visit https://www.digitalshadows.com/blog-and-research/not-another-ransomware-blog-initial-access-brokers-and-their-role/