zephyr_p - stock.adobe.com

Initial access brokers unaffected by ransomware content bans

Banning ransomware content from cyber crime forums has done little to prevent initial access brokers from advertising their services, with the number of access listings increasing in the second quarter of 2021

Online listings for initial access brokers (IABs) have increased for the second quarter in a row, despite a number of cyber crime forums banning any content related to the ransomware trade, says threat intelligence firm Digital Shadows.

In the wake of DarkSide’s ransomware attack on Colonial Pipeline in May 2021, which severely disrupted the US’s energy and fuel supply, a number of cyber crime forums, including XSS, Exploit and RaidForums, decided to ban listings for, and discussions of, ransomware services in order to avoid unwanted attention from journalists and law enforcement agencies.  

But despite the ban on ransomware content, Digital Shadows has collected more than 250 new listings by IABs, an increase from the 200 it identified in Q1.

“This development in the ransomware landscape didn’t entirely disrupt IABs’ operations,” wrote Digital Shadows’ Photon Research Team in a blog post. “In fact, theoretically speaking, the accesses sold by IABs could be used for a broad array of malicious purposes (think about wiping data, installing crypto miners, deploying spyware) and rarely specifically mention ransomware.

“However, as we all well know, ransomware is clearly one of the most profitable criminal enterprises you can set up with those accesses and is undoubtedly the most common use for threat actors.

“Consequently, IABs kept doing their work undisturbed most of the time. We’ve observed some IABs moving to other cyber criminal forums, and others have moved their business infrastructure to private messaging channels. Additionally, we’ve observed ransomware groups avoiding outright mentioning the purpose of their criminal program and attempting to recruit for IABs with careful wording to avoid being banned.”

A new ransomware gang, known as BlackMatter, which was founded in July 2021 and likely spun out of the DarkSide operation, was recently discovered by analysts at Recorded Future because of ads it had posted on Exploit and XSS.

BlackMatter circumvented the forum’s ransomware bans – in line with Digital Shadows’ assessment – by carefully wording them to exclude mention of any actual ransomware operations. Instead, the posting was for the recruitment of IABs that could help it access high-value corporate targets.

In March 2021, Digital Shadows published separate research that analysed more than 500 access listings posted online throughout 2020, which means more listings have been identified in the first half of 2021 than in all of last year.

Between Q1 and Q2 2021, the price of access also went up, from an average of $1,923 per access to an average of $2,578.

Read more about ransomware

However, in 2020 the average price per access was $7,100, which Digital Shadows attributed to the fact that, with significantly fewer listings in 2020, there was less competition between brokers and therefore prices were higher.

In terms of the listings’ targets, 70% of the total listings observed in Q2 2021 were targeted at organisations in North America (primarily the US) and Europe. The most targeted country in Europe was France, closely followed by the UK, Italy and Germany.

“Companies based in North America were also the most financially rewarding for IABs, with an average cost of $3,114 per access,” said the blog. “Asian organisations soon followed with an average of $2,824, along with the Middle East ($2,523) and Europe ($2,044). On the other hand, listings were particularly cheap in Australasia ($600) and South America ($474).”

In a shift from Q1 – when the energy, oil and gas industry represented the highest average price per access – the financial services and retail verticals are now the most expensive IAB listings at $5,518 and $4,404, respectively.

Looking at the actual access points being advertised, Digital Shadows found that remote working tools such as virtual private network (VPN) and remote desktop protocol (RDP) were at the highest risk of being compromised and exploited by threat actors, with those two tools making up more than two-thirds of the total accesses being advertised by IABs.

“Since we’ve started to produce research on IABs, RDPs have been central in our analysis,” said the blog. “Cyber criminals can easily scan the internet to find exposed RDPs with weak credentials to leverage for their malicious operations. The same mechanism can be applied to VPN, a utility that has become increasingly popular since the pandemic outbreak in the early months of 2020.”

In terms of mitigating strategies, Digital Shadows suggested that monitoring the evolution of IABs and their preferred techniques over time can “significantly help security professionals prioritise their efforts to reduce their attack surface and digital exposure”.

It added: “Having an in-house or outsourced cyber threat intelligence team monitoring the surface, deep and dark web can go a long way in identifying relevant listings and observing access trends. If provided with timely, relevant and actionable intelligence, defenders can prioritise security efforts toward the most significant threats.”

Next Steps

Researchers find access brokers focused on US targets

Read more on Hackers and cybercrime prevention

Data Center
Data Management