Initial Access Brokers

What Are Initial Access Brokers? 

Initial access brokers (IABs) are threat actors that sell cybercriminals access to organizations’ networks.  

Once they have access to an organization, they offer their service in underground online forums, such as the kind found on the dark web. Their primary customers are ransomware groups and related associates who purchase access to already breached networks and systems in order to launch ransomware attacks. 

How Do Initial Access Brokers Gain Access to Secure Networks?

Initial access brokers gain access to systems through common, malicious means. Chief among those are social engineering tactics such as phishing. But social engineering is not the only tool in their cybercrime toolbox. Initial access brokers can also breach a system through a vulnerability, through the local installation of malware after gaining physical access to an organization through something like tailgating, through credential compromise by brute-force attacks or password spraying, or through stolen network, application, or user credentials purchased from a third-party.  

Kinds of Access That Initial Access Brokers Sell 

As IABs hold the keys to a given network’s kingdom, they can name their own price and set their own terms. The cost for using their services varies, in large part, due to the type of organization to which they’re offering access, the specificities of who they are selling to (such as if it’s a known ransomware group with set rates) and other key considerations. Factors that influence the price tag for using their services often include the organization’s industry, size, number of employees and annual revenue.  

Other contributing factors include the vulnerability level of the company (i.e., how much time and resources it took for them to gain that initial access) as well as the type of access being sold.  

Typically, an initial access broker will offer one or more of the following types of access: 

• Compromised credentials 

• VPN access 

• Email or SaaS access 

• Initial footholds via malware 

• Domain or Active Directory (AD) access 

• Pre-exploited vulnerabilities 

• Compromised third-party accounts 

Initial Access Brokers and Ransomware

Ransomware is not going anywhere, and in fact continues to increase in volume and severity. 23% of respondents in the The State of Cybersecurity: 2025 Trends Report reported that their organization experienced at least one “significant” ransomware attack in 2024. Ransomware made up 44% of Arctic Wolf Incident Response cases in 2024, according to the 2025 Arctic Wolf Threat Report.  

 Analysts not only expect the frequency of attacks to continue to increase, but the average ransom demand, as well. And, thanks to sinister new innovations like double and triple extortion, threat actors are able to exfiltrate valuable data quickly and still make off with a payday. 

While the gangs that grab headlines have managed to make massive profits, and Ransomware-as-a-service (RaaS) — where developers of a ransomware variant recruit affiliates that exclusively use their ransomware in targeted attacks for a split of the profits — has seen a surge, creating a ‘successful’ ransomware attack still takes a great deal of time and resources. 

Even if a threat actor has a variant that’s dependable, they still need to gain access to the target system in order to deploy it. That means significant time spent on reconnaissance and resource development, and any time spent on initial access into a target organization is time not spent on developing payloads and reaping ransoms.  

To solve this problem, more threat actors are turning to cost-effective alternatives that do the hard work of gaining access to corporate networks for them – initial access brokers. 

Now, any aspiring cybercriminal can simply purchase access into an organization from an IAB and then deploy the ransomware. As part of their affiliate relationship with the ransomware authors, the actual attacker may receive general guidance (or even strict rules) about how to conduct the negotiations; they will also be able to leverage the author’s reputation, as needed. 

How Do You Protect Your Organization Against Initial Access Brokers?

Protecting against initial access brokers is about closing off the footholds IABs sell. Since these individuals thrive on weak perimeter defenses, stolen credentials, and unpatched systems, defenses should be layered and thorough. 

Main protection strategies IT and security teams can deploy are: 

1. Strengthen identity and access controls such as enforcing multi-factor authentication (MFA), monitoring identities and user access, and restricting access through methods such as zero trust. 
2. Utilize risk-based vulnerability management to patch high-risk vulnerabilities consistently  
3. Deploy detection and response solutions – including endpoint detection and response (EDR) and managed detection and response (MDR) for enhanced visibility, fast malware (and other threat) detection, and response actions that can limit threats to their initial access point 
4. Develop and incident response (IR) plan and have IR readiness capabilities in place in case a threat turns into an incident 

Better understand how credentials are compromised and used in cyber incidents. 

Explore the ransomware ecosystem in-depth, including the role of initial access brokers.