What Are Initial Access Brokers?
Initial access brokers are threat actors that sell cybercriminals access to corporate networks. They are highly skilled in their field and possess a specialized set of skills honed over a long period of black hat hacking that they utilize to access secure networks.
Once they have access, they offer their service in underground online forums, the kind found on the dark and grey web. Their primary customers are ransomware groups and their associates who purchase access to already breached networks and systems.
How Do Initial Access Brokers Gain Access to Secure Networks?
Initial access brokers gain access to systems via standard cybercriminal means. Chief among those are social engineering tactics such as phishing. But that’s not the only tool in their cyber toolbox. They’ll also breach a system through an exploit of unpatched software, via the local installation of malware after gaining physical access to an organization through something like tailgating, via brute-force attacks or password spraying, or through stolen network credentials purchased from a third-party.
What Kind of Access do Initial Access Brokers Sell?
As they hold the keys to a network’s kingdom, they can name their own price and set their own terms. The cost for using their services varies, in large part, due to the type of organization to which they’re offering access. Factors that influence the price tag for using their services include the organization’s industry, size, number of employees and annual revenue.
Other contributing factors include the vulnerability level of the company (i.e., how much time and resources it took for them to gain that initial access) as well as the type of access being sold. Typically, an initial access broker will offer one or more of the following types of access:
- Remote Desktop Protocol (RDP)
- Active Directory (AD)
- Server Root Credentials
- Web Shell Access
- Remote Monitoring & Management (RMM)
- Control Panels
Initial Access Brokers and Ransomware
According to the 2022 Verizon Data Breach and Investigation Report, “In 2021, ransomware has continued its upward trend with an almost 13% increase (for a total of 25% of breaches)—a rise as big as the past five years combined.”
Ransomware is not going anywhere. Analysts not only expect the frequency of attacks to continue to increase, but the average ransom demand, as well. And, thanks to sinister new innovations like double and triple extortion, more would-be cybercriminals might decide it’s just too target-rich of an environment to ignore.
While the gangs that grab headlines have managed to make massive profits, and Ransomware-as-a-Service (Raas) — where developers of a ransomware variant recruit affiliates that exclusively use their ransomware in targeted attacks for a split of the profits — has seen a surge, creating a ‘successful’ ransomware attack still takes a great deal of time and resources.
Even if a cybercriminal has a variant that’s dependable, they still need to gain access to the target system in order to deploy it. That means significant time spent on reconnaissance and resource development, and any time spent on initial access into a target organization is time not spent on developing payloads and reaping ransoms.
To solve this problem, more cybercriminals are turning to cost-effective alternatives that do the hard work of gaining access to corporate networks for them – initial access brokers.
How Can You Protect Your Organization from Initial Access Brokers?
Turning to managed security operations solutions can make the difference in protecting you from the risks of ransomware, including infiltration by initial access brokers. Arctic Wolf — the leader in security operations — offers multiple solutions that can help you end cyber risk for your organization.
Learn more about how cybercriminals gain access to organizations with the Arctic Wolf Labs 2023 Threats Report.
Better understand the big business of cybercrime.
See how a monitoring and detection solution can better protect your organization from mounting threats.