How the Initial Access Broker Market Leads to Ransomware Attacks

To carry out a ransomware attack, cybercriminals must first gain access to their victim’s PC or network.

Gone are the days when ransomware was limited to malware that targeted individuals with fake threats from organizations like the FBI or IRS, demanding payment via a PC pop-up after encryption.

Now, while individuals can still encounter ransomware – especially when anti-virus programs aren’t in use – corporations are the big game that criminals hunt.

Time is money in the corporate world, and ransomware has exploded in recent years to become an almost separate cybercriminal activity. As a result, “sub-services” have sprung up to aid ransomware developers in deploying their illicit creations, ranging from language services to handle ransom payment negotiation to initial access brokers (IABs) that offer the secret access to a network required in the first stage of a ransomware attack.

As shown in new research by KELA, the ransomware-as-a-service (RaaS) economy relies on IABs to reduce the need for extensive reconnaissance or the time it takes to find an entry method.

On average, IABs sell initial access for $4,600, and sales take between one and three days to complete. In cases identified by the cybersecurity firm, once access is purchased, it takes up to a month for a ransomware attack to take place – and potentially for the victim to then be named and humiliated on a leak site .



At the very least, five known Russian-speaking ransomware operators use IABs: LockBit, Avaddon, DarkSide, Conti, and BlackByte.

KELA conducted a review of past security incidents involving these ransomware groups. The first is LockBit, whose attack started against Bangkok Airways due to AnyConnect VPN access offered by a malicious actor called “babam”.

While it’s unclear exactly who bought access to Bangkok Airways, on August 23, 2021 – not yet a month after access was offered in underground forums – the airline was infected with ransomware . Two days later, Bangkok Airways appeared on the LockBit leak site.

“Bangkok Airways did not disclose any investigative details, but based on the timeline, it is highly possible that the attack was carried out using purchased access,” the researchers noted.



In an attack by Avaddon, access to a United Arab Emirates steel supplier was listed for sale on a forum in a post dated March 8, 2021. Three weeks later, the company appeared on the Avaddon domain. (This group is said to have shut down and a tool was made available to generate decryption keys.)

DarkSide is infamous for an attack on Colonial Pipeline that caused panic buying of fuel in the United States. However, in a separate incident on January 16, 2021, the same IAB “babam” tried to sell access to mining technology company Gyrodata.

Two days later, the access was declared as sold, and between January 16 and February 22, an unauthorized actor roamed the firm’s networks. On February 20, DarkSide released the company’s name as the victim.

In another case, access to a US manufacturer was sold on October 8, 2021 for $800. Within two weeks, Conti exposed the company on its leak site and some stolen data was also released online.

Ransomware attacks against high-profile targets aren’t going away any time soon. Just before the Super Bowl kicked off, the San Francisco 49ers became the latest victim of BlackByte, which also named the organization on a leaked website.

Previous and related coverage

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0

Comments are closed.