How Do Initial Access Brokers Enable Ransomware Attacks?

Editor's Note: Unlock the knowledge, resources and expert guidance you need to successfully prevent ransomware attacks from impacting your organization’s operations with this complimentary Ransomware Toolkit...

This October marks the 18th iteration of Cybersecurity Awareness Month, formerly called National Cybersecurity Awareness Month (NCSAM). Together with the National Cyber Security Alliance (NCSA), the U.S. Cybersecurity & Infrastructure Security Agency unveiled Do Your Part. #BeCyberSmart as this year’s theme. They also named “Be Cyber Smart” as the focus for the week of October 4 (Cybersecurity Awareness Month Week 1).

We’d like to carry those “cyber smarts” to the ransomware problem by discussing the key drivers of RansomOps, the term for the more complex ransomware operations which use APT-like, low-and-slow attack tactics so they can infect as much of the target network as possible and demand even bigger ransom demands - some of which now exceed the $50 Million dollar mark. Let’s begin by focusing on how RansomOps use Initial Access Brokers (IABs).

An Overview of Initial Access Brokers (IABs)

According to Digital Shadows, IABs act as middlemen who use their own methods to breach a company’s network, usually for some criminal objective like cryptocurrency mining or to steal account credentials to sell on the black market. Once they have access and have established some level of persistence on the targeted network, IABs often sell access to that network to other threat actors, which more often include ransomware gangs or their affiliates.

One thing helping IABs establish and maintain access is the fact that many organizations shifted to remote work in the wake of the pandemic, which led to a corresponding increase in exposed remote services that attackers can use to establish a foothold in vulnerable networks, as reported by Infosecurity Magazine. The pandemic also drove organizations to accelerate their adoption of cloud applications, often without implementing basic security features like multi-factor authentication (MFA) for authorized accounts.

But it’s more complicated than that. Researchers found that unsecured Microsoft Remote Desktop Protocol (RDP) vulnerabilities accounted for over half of all ransomware attacks and, as reported by ZDNet, some digital crime groups specialize in scanning the web for these exposed RDP ports. When they find them, they carry out brute-force attacks to gain access and then sell that access on dark web marketplaces, giving attackers like ransomware groups an opportunity through which they can establish a foothold across an organization’s network.

We’d be remiss if we overlooked recent events in the ransomware threat landscape, as well. Back in mid-May, the FBI confirmed that the DarkSide ransomware gang had been responsible for attacking the Colonial Pipeline Company. DarkSide attempted to shake off this attention by attributing the attack to one of its “partners” and by saying that it would screen its affiliates’ attacks going forward.

Not long thereafter, KrebsonSecurity confirmed that DarkSide had ceased operations after someone had seized its servers and drained them of cryptocurrency used by the gang to pay its affiliates. It was around that same time when three Russian digital crime forums banned members from posting ransomware-related ads, noted The Record, thus depriving groups of one of the most reliable ways to recruit new partners for ransomware attacks.

How Are IABs Helping RansomOps to Adapt?

As discussed above, IABs free ransomware attackers from the arduous task of obtaining initial access and moving laterally through the network so they can infect and encrypt more assets before demanding the ransom payment. Ransomware actors can now essentially focus all their time and energy on honing their malware payloads and coordinating operations with their affiliates.

The impact of IABs doesn’t end there. Flashpoint found that ransomware gangs like BlackMatter are using IABs to continue advertising on Russian digital crime forums. Instead of openly discussing ransomware and trying to enlist new recruits, they can simply connect with an IAB, as there’s nothing prohibiting them from doing that. It’s an opportunity for them to implicitly advertise their ongoing operations and discreetly recruit affiliates.

The IABs are also working to make sure they can provide the most access possible to the targeted networks, which is driving up the prices they are demanding. Here are some following statistics from The Register that are worth sharing:

    • On average, IABs offer access involving stolen credentials for $7,100. That’s several thousands of dollars less than the average price for RDP access at $9,800.
    • Access involving the compromise of a Windows domain admin account fit right between stolen credentials and RDP access at an average price of $8,167.
    • By contrast, exposed corporate VPN credentials fetched a price of $2,871 on average.

It’s interesting to note that IAB activity and access sales began declining monthly in Q2 2021. According to Cybersecurity Dive, that’s when many IABs began moving their sales to private forums. It’s likely they did so to better evade law enforcement.

Defending Against RansomOps

The growth of the IAB marketplace highlights the need for organizations to defend themselves against the ever-evolving ransomware threat landscape. Fortunately, organizations can take steps to protect themselves against the RDP attack vector discussed above. They can block RDP port 3389 if they don’t need to use it, for instance. If they need some systems to support RDP, they can put them behind a firewall and monitor them for potential signs of abuse.

Organizations can also implement an anti-ransomware solution that leverages both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs), the more subtle attack activity that can reveal an attack earlier. Such a solution allows organizations to visualize a ransomware attack wherever it’s occurring on their network, including the initial access and lateral movement that can precede the delivery of a ransomware payload by weeks or months, giving security teams time to detect and respond long before any systems can be encrypted.

The Cybereason Advantage Over Ransomware

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.

The Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based on rare or advantageous chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against ransomware thanks to our multi-layered prevention, detection and response.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed