The average cost to access the network or IT systems of an organisation lies somewhere between $2,000 (£1,650) and $4,000 (£3,300) – a relative trifle when compared to the sums ransomware operators demand and receive, and the massive financial damage that can be wrought by a well-timed cyber attack.
This figure is based on an analysis of hundreds of posts on dark web cyber criminal forums, conducted by researchers at Kaspersky, who have just released a paper on the subject, How much does access to corporate infrastructure cost?
The research team uncovered high levels of demand on the dark web not just for data stolen during an attack, but for the data and services necessary to orchestrate an attack in the first place.
“The cyber criminal community has evolved, not only from a technical point of view, but from the standpoint of their organisation,” said Kaspersky’s Sergey Scherbel. “Today, ransomware groups look more like real industries with services and products for sale.
“We constantly monitor darknet forums to detect new trends and tactics of the cyber criminal underground and we have observed the increasing market of data required to organise an attack. Gaining the visibility of sources across the dark web is essential for companies seeking to enrich their threat intelligence.”
Prices for this access vary greatly, said Kaspersky, starting at a couple of hundred dollars at the low end, and rising to hundreds of thousands.
Initial access brokers (IABs), who, as others have reported, are becoming a key cog in the crime-as-a-service economy, enact pricing structures that are, by and large, determined by the revenue of a potential victim.
For example, a FTSE 100 company with global assets and interests will clearly be a juicier target than a local plumbing business, so, understandably, the amount of money a cyber criminal can potentially earn from that attack is the most important component of an initial access price.
Also, IABs know that ransomware operators who stand to make millions from successful attacks are prepared to pay handsomely, spending tens of thousands of dollars in some cases.
Other factors that come into play include the reputation and expertise of the IAB, and the different type of access they are offering.
For example, said Scherbel, information about a vulnerability, such as an SQL injection or remote code execution (RCE) bug, is priced very differently from legitimate credentials for remote desktop protocol (RDP) or secure shell (SSH).
This is because, in the first instance, the buyer is merely buying a shot at accessing a target network by exploiting a vulnerability, whereas RDP or SSH means that access to the target system has already been obtained.
Put simply, obtaining RDP access enables bad actors to get at a remote desktop or application that allows whoever controls it to connect to, access and control important resources and data via a remote host in the same way as a local employee. Three-quarters of the analysed ads were offering RDP access.
Indeed, Kaspersky found that most underground IABs now specialise in selling remote RDP access, and three-quarters of the analysed ads were offering RDP access.
There is also variance based on a victim’s industry and specialisations, as well as location, said Kaspersky.