Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Ransomware Made Easy: Initial Access Brokers Offer Access to High-Value Networks

February 9, 2021

Bank Info Security reported on February 2 that ransomware gangs are increasingly tapping initial access brokers, who sell ready access to high-value networks.

On average, access is sold for $1,500 to $2,000, according to Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela.

"Some of them are looking for one buyer and state that they're ready to work for a percentage, most likely meaning a share from the amount gained in a successful ransomware attack."

"For such a sum, threat actors usually offer domain admin-type of access to medium-sized companies with hundreds of employees," she says.

It is hard work and time-consuming to locate victims and attempt to hack them. Much easier to find a list of potential victims and pay for remote access credentials that are guaranteed to work.

Kivilevich writes in a new report from Kela that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million.

During that time, the average price per access was $6,684 and the highest price listed was 7 bitcoins, which at the time was worth about $130,000. 24% of offers didn't list a price.

While the number of access offers being sold declined from month to month, Kivilevich says that many are now "being traded in private conversations," which makes it difficult to ascertain the quantity and selling price of everything that's being sold.

The most common types of access being sold – comprising 45% of what's publicly on offer – are credentials for remote desktop protocol or VPNs, details of a vulnerability in the victim's system that facilitates remote code execution (RCE) and access to Citrix products.

Using RDP or VPN to gain access, "an intruder can move laterally and eventually can succeed in stealing sensitive information, executing commands and delivering malware," she says. "The RCE vulnerability type of initial access is usually limited to the ability to run code using a specific vulnerability, which allows actors to pivot further within the targeted environment."

In about half of all listings, initial access brokers don't say what type of access they're selling – or they may just list the level of access that a buyer could gain, such as "admin or user, local or domain," she says. In other cases, brokers sell remote access to remote control software, such as ConnectWise and TeamViewer, running in a victim's organization "which provide actors with RDP-like capabilities."

Cybersecurity experts say demand for initial access brokers' services has been rising. Using these brokers can help ransomware gangs more quickly take down larger targets via what's known as big game hunting because it offers a greater return on investment, since bigger targets can pay bigger ransoms.

Kela says that during Q4 2020, just 10 sellers appeared to account for nearly half of all initial access broker listings across three cybercrime forums.

Historically, initial access brokers advertised their services on cybercrime forums and marketplaces. However, some brokers seem to have long-term relationships with certain ransomware gangs, affiliates or middlemen, and offer them the first right of refusal before making access offers available to others, Kela's Kivilevich says.

Late in 2020, she reported seeing a reversal: The Darkside ransomware operation posted that it was actively seeking new partners who could give it access to U.S. businesses with annual revenues of at least $400 million.

The cybercrime-as-a-service ecosystem continues to evolve at a furious speed!

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson