How Do Initial Access Brokers Enable Ransomware Attacks?

October 5, 2021 | 4 minute read

Editor's Note: Unlock the knowledge, resources and expert guidance you need to successfully prevent ransomware attacks from impacting your organization’s operations with this complimentary Ransomware Toolkit...

This October marks the 18th iteration of Cybersecurity Awareness Month, formerly called National Cybersecurity Awareness Month (NCSAM). Together with the National Cyber Security Alliance (NCSA), the U.S. Cybersecurity & Infrastructure Security Agency unveiled Do Your Part. #BeCyberSmart as this year’s theme. They also named “Be Cyber Smart” as the focus for the week of October 4 (Cybersecurity Awareness Month Week 1).

We’d like to carry those “cyber smarts” to the ransomware problem by discussing the key drivers of RansomOps, the term for the more complex ransomware operations which use APT-like, low-and-slow attack tactics so they can infect as much of the target network as possible and demand even bigger ransom demands - some of which now exceed the $50 Million dollar mark. Let’s begin by focusing on how RansomOps use Initial Access Brokers (IABs).

An Overview of Initial Access Brokers (IABs)

According to Digital Shadows, IABs act as middlemen who use their own methods to breach a company’s network, usually for some criminal objective like cryptocurrency mining or to steal account credentials to sell on the black market. Once they have access and have established some level of persistence on the targeted network, IABs often sell access to that network to other threat actors, which more often include ransomware gangs or their affiliates.

One thing helping IABs establish and maintain access is the fact that many organizations shifted to remote work in the wake of the pandemic, which led to a corresponding increase in exposed remote services that attackers can use to establish a foothold in vulnerable networks, as reported by Infosecurity Magazine. The pandemic also drove organizations to accelerate their adoption of cloud applications, often without implementing basic security features like multi-factor authentication (MFA) for authorized accounts.

But it’s more complicated than that. Researchers found that unsecured Microsoft Remote Desktop Protocol (RDP) vulnerabilities accounted for over half of all ransomware attacks and, as reported by ZDNet, some digital crime groups specialize in scanning the web for these exposed RDP ports. When they find them, they carry out brute-force attacks to gain access and then sell that access on dark web marketplaces, giving attackers like ransomware groups an opportunity through which they can establish a foothold across an organization’s network.

We’d be remiss if we overlooked recent events in the ransomware threat landscape, as well. Back in mid-May, the FBI confirmed that the DarkSide ransomware gang had been responsible for attacking the Colonial Pipeline Company. DarkSide attempted to shake off this attention by attributing the attack to one of its “partners” and by saying that it would screen its affiliates’ attacks going forward.

Not long thereafter, KrebsonSecurity confirmed that DarkSide had ceased operations after someone had seized its servers and drained them of cryptocurrency used by the gang to pay its affiliates. It was around that same time when three Russian digital crime forums banned members from posting ransomware-related ads, noted The Record, thus depriving groups of one of the most reliable ways to recruit new partners for ransomware attacks.

How Are IABs Helping RansomOps to Adapt?

As discussed above, IABs free ransomware attackers from the arduous task of obtaining initial access and moving laterally through the network so they can infect and encrypt more assets before demanding the ransom payment. Ransomware actors can now essentially focus all their time and energy on honing their malware payloads and coordinating operations with their affiliates.

The impact of IABs doesn’t end there. Flashpoint found that ransomware gangs like BlackMatter are using IABs to continue advertising on Russian digital crime forums. Instead of openly discussing ransomware and trying to enlist new recruits, they can simply connect with an IAB, as there’s nothing prohibiting them from doing that. It’s an opportunity for them to implicitly advertise their ongoing operations and discreetly recruit affiliates.

The IABs are also working to make sure they can provide the most access possible to the targeted networks, which is driving up the prices they are demanding. Here are some following statistics from The Register that are worth sharing:

    • On average, IABs offer access involving stolen credentials for $7,100. That’s several thousands of dollars less than the average price for RDP access at $9,800.
    • Access involving the compromise of a Windows domain admin account fit right between stolen credentials and RDP access at an average price of $8,167.
    • By contrast, exposed corporate VPN credentials fetched a price of $2,871 on average.

It’s interesting to note that IAB activity and access sales began declining monthly in Q2 2021. According to Cybersecurity Dive, that’s when many IABs began moving their sales to private forums. It’s likely they did so to better evade law enforcement.

Defending Against RansomOps

The growth of the IAB marketplace highlights the need for organizations to defend themselves against the ever-evolving ransomware threat landscape. Fortunately, organizations can take steps to protect themselves against the RDP attack vector discussed above. They can block RDP port 3389 if they don’t need to use it, for instance. If they need some systems to support RDP, they can put them behind a firewall and monitor them for potential signs of abuse.

Organizations can also implement an anti-ransomware solution that leverages both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs), the more subtle attack activity that can reveal an attack earlier. Such a solution allows organizations to visualize a ransomware attack wherever it’s occurring on their network, including the initial access and lateral movement that can precede the delivery of a ransomware payload by weeks or months, giving security teams time to detect and respond long before any systems can be encrypted.

The Cybereason Advantage Over Ransomware

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.

The Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based on rare or advantageous chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against ransomware thanks to our multi-layered prevention, detection, and response, which includes:

    • Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
    • Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
    • NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
    • Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
    • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
    • Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team