Ransomware affiliates need access points into target companies. When demand for access skyrocketed, initial access brokers (IABs) answered those informal "help wanted" signs.
The cybercrime business model has evolved, creating a market of vendors on the dark web.
"One major aspect of this trend is the cooperation between actors facilitated by the rise of targeted ransomware. In order to support work in scale, ransomware operators turn to partners and affiliates to fulfill their remote access needs," said Victoria Kivilevich, threat intel analyst at Kela.
IABs uncover new initial access vectors and have become a staple of the ransomware as a service (RaaS) economy, according to a Kela report based on more than 1,000 access listings for sale from July 1, 2020 to June, 30 2021, released Monday. IABs "follow their customers' demands," the research found.
As ransomware branched out from hitting consumers to large enterprises, bad actors needed to make their business model more efficient. Different functions of the RaaS model began to organize into tiers of labor, with clearer lines of responsibility.
In short, IABs monetized a time-consuming piece of the business model — selecting and "grooming" access opportunities, Kivilevich said.
Affiliates who work directly with ransomware operators are akin to mid-level management, according to Kivilevich, and with ransomware developers asking for more viable access to companies, IABs found a way to respond to the demand.
If companies have insights into top-selling network access, security teams will have a better sense of what is most vulnerable to the RaaS model. While the most popular access are VPNs and RDP, IABs are working toward finding more access to sell, such as VMware's ESXi servers, favored by REvil and DarkSide operators, and network management software, Kela found.
Though the median network access price was $1,000 in the last year, the average price was $5,400, according to Kela, with IABs still cultivating their own pricing models. Some IABs commit to a fixed price for access while others negotiate with their ransomware affiliates for a percentage of their payout.
IABs typically engage in public forums only when they are new to the market and working to gain a reputation. They even go as far as allowing trusted buyers a test run prior to payment, according to Kivilevich.
Some IABs will only publicize new sales when their regular customers are uninterested in a listing, according to Kela's report. If an IAB's dealings remain in public forums, Kela's research indicates bidding wars can occur. It typically takes between one and three days to have an auction winner, Kivilevich said.
Beginning in Q2 of 2021, access sales began to decline monthly — the drop was not due to a lack of sales, but a shift in strategy. IABs have been moving their dealings to private forums to evade detection from law enforcement.
"But I don't think law enforcement is really looking for IABs, nor should they be. That's like charging a street dealer instead of going after the drug kingpins," said Jake Williams, co-founder and CTO of BreachQuest, and SANS analyst.
However, in July 2020, the Justice Department issued an indictment to "fxmsp" for cybercriminal activity, including selling backdoors to victim networks. Customers then launched subsequent cyberattacks using those backdoors. While this is a rare case of law enforcement pursuing an IAB, it does occur.
IABs are able to skirt law enforcement activity because of the passive nature of their business. They aren't the actors initiating an attack on a business, said Alec Alvarado, threat intelligence team lead at Digital Shadows.
Because of the private structure of IAB and ransomware affiliate communications, it's difficult to determine their relationships entirely. Like Kela, Digital Shadows has also seen a decline in "once very public" IABs, according to Alvarado. The risk protection company theorizes that the drop off in public IABs might be because of recruitment by a ransomware group.
A booming dark web industry
Researchers estimate IABs sell about $600,000 in network access quarterly, depending on how many computers are exposed, account privileges, and most importantly a target's revenue, size and industry, Positive Technologies observed. In 2020, Positive Technologies found 707 new ads for sale of access for the whole year, whereas Q1 2021 has already seen 590.
The ransomware landscape reached "exceedingly competitive" levels over the last year, giving IABs a solidified place in the Raas supply chain, said Alvarado. "Ransomware affiliates faced pressure from developers to either show results or be cut from the affiliate program," which was the opportune entry point for IABs.
It's difficult to hold ransomware gangs accountable for misusing access, or breaking the code of conduct IABs establish. RaaS has so many affiliates, a gang could claim an attack was due to a "rogue affiliate and we've dropped them," if they were confronted by an IAB, Williams said. "Of course there's no way to evaluate the truth of those statements, so no action is likely to be taken."
SunCrypt operators had to do just this when University Hospital in New Jersey was breached in October. The group claimed it was an accidental hack caused by a new affiliate, said Kivilevich. But for the most part, IABs follow their customers' leads — if a customer does not want access to a healthcare organization, an IAB won't offer it to them.