filo/DigitalVision Vectors via G


What role does an initial access broker play in the RaaS model?

Initial access brokers play an increasingly vital role in the ransomware ecosystem, establishing entry points from which RaaS groups can facilitate attacks against organizations.

The dark web has hosted criminal activity for decades. Over that time, cybercrime organizations and their business models have adapted and evolved, along with the threat landscape. Nowadays, numerous illicit forums and marketplaces let users buy and sell everything from illegal drugs to malware.

These forums enable organized cybercrime groups to offer products and services to other threat actors for purchase. Cybercrime groups that actively sell third-party attackers access to private networks and systems are commonly called initial access brokers (IABs). Although they rarely involve themselves directly in attacks, initial access brokers play a vital role in the ransomware as a service (RaaS) ecosystem by establishing entry points for other malicious hackers.

Read on to learn what role IABs play in the RaaS model, how they operate and more.

What are initial access brokers?

Initial access brokers are individual cybercriminals or organized cybercrime groups that gain unauthorized network access and sell it to other malicious actors.

IABs generally specialize in breaching organizations with direct user access, which they gain through various exploit methods. These include credential stuffing, social engineering, phishing, MFA-focused brute-force attacks and stealer malware.

Most initial access brokers act as suppliers to other attackers and rarely conduct ransomware, data extortion or other cyberattacks themselves.

Most initial access brokers act as suppliers to other attackers and rarely conduct ransomware, data extortion or other cyberattacks themselves. Instead, they serve as third-party service providers, enabling other cybercrime groups to carry out further attacks against organizations.

Once attackers have gained initial access to a corporate network or OS, they advertise and sell that access on dark web forums to other cybercriminals. Some brokers sell initial corporate access for a set price, while others charge percentages of the exploit profits their buyers earn from using the access.

How do initial access brokers operate?

IABs can be solo threat actors or employees of larger organized cybercrime groups. While they are malicious attackers themselves, their attack techniques typically differ from the threat actors to whom they sell initial access. Many initial access brokers operating on dark web forums and marketplaces specialize in stealing corporate data via social engineering and brute-force attacks.

Initial access brokers are known to employ the following operational tactics:

  • Exploit software vulnerabilities and unpatched systems to gain access to internal systems and networks.
  • Use social engineering or phishing attacks with the goal of stealing user credentials.
  • Exploit Remote Desktop Protocol or VPN vulnerabilities to access networks and exfiltrate data.
  • Deploy remote access Trojans, also known as infostealers, to log keystrokes, passwords and other confidential data to exfiltrate and sell to other attackers.

Initial access brokers use such attack methods across industries. Researchers and law enforcement have witnessed them selling access to private networks and systems of organizations in government, healthcare, financial services, critical infrastructure, retail and more.

What role does an access broker play in the RaaS model?

Ransomware attacks have been on the rise in recent years, leading to many high-profile data breaches. Such attacks have major consequences for enterprises, including operational disruptions, regulatory penalties and reputational damage. In some cases, such as in the healthcare industry, ransomware attacks can even put lives at risk.

Like IABs, RaaS operators are also service providers. After buying initial access to corporate networks, they can then package and resell it -- bundled together with other elements, such as malware, payment portals and campaign dashboards -- to enable targeted attacks. RaaS buyers can then easily run ransomware campaigns, even if they lack the inclination or skills to develop them on their own.

The partnership between initial access brokers and ransomware operators is mutually beneficial, with the former streamlining and accelerating the ransomware attack cycle by providing illegal footholds in corporate networks. In purchasing initial access, ransomware gangs can bypass the time-consuming and resource-intensive process of hacking into individual organizations' networks.

Many of today's most prolific ransomware groups rely on access brokers to pave the way for full-scale cyberattacks.

Future of initial access brokers in cybercrime threats

IABs have proven to be a valuable resource to other ransomware groups by simplifying the complexities behind orchestrating full-scale cyberattacks. Accordingly, security professionals and researchers anticipate that, as cybercrime organizations continue to increase in size and profitability, so will IABs.

Initial access brokers play a vital role in the ransomware ecosystem and are at least partially responsible for the increase in attacks organizations face today. Organizations should work internally across teams and leadership to mitigate ransomware risks and guard against credential-based attacks by implementing cybersecurity controls and stricter access control.

Amanda Scheldt is a security content writer and former security research practitioner.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing