Every few months, enterprising cyber criminals are offering new services to enable cybercrimes, thefts and paid ransoms. These new “services” make crime easier for lower skilled criminals and increase profits for all members of the ransomware supply chain. TM: General Mills
Cyber threat actors who want to take down bigger targets more easily and quickly, ransomware gangs are increasingly tapping initial access brokers, who sell ready access to high-value networks. On average, such access is sold for $1,500 to $2,000, says a threat intelligence analyst at Israeli cyber threat intelligence monitoring firm Kela. "Some of them are looking for one buyer and state that they’re ready to work for a percentage, most likely meaning a share from the amount gained in a successful ransomware attack." She added, "For such a sum, threat actors usually offer domain admin-type of access to medium-sized companies with hundreds of employees.”
Using initial access brokers enables attackers to avoid the time-consuming, laborious process of finding victims and attempting to hack them. Instead, they can see a menu of potential victims and pay for remote access credentials that are guaranteed to work. The researcher writes in a new Kela report that over the last three months of 2020, she counted 242 initial network access offers for sale across three cybercrime forums with a total asking price of $1.2 million.
During that time frame the average price per access was $6,684, the median price was $1,500 and the highest single price listed was 7 bitcoins, which at the time could have been worth about $130,000. But 24% of offers did not list a price. While the number of access offers being sold declined from month to month and many are now "being traded in private conversations," which makes it difficult to ascertain the quantity and selling price of everything that's being sold.
The most common types of access being sold comprising 45% of what is publicly on offer are credentials for remote desktop protocol or VPNs; details of a vulnerability in the victim's system that facilitates remote code execution, aka RCE; and access to Citrix products. Using RDP or VPN to gain access, "an intruder can move laterally and eventually can succeed in stealing sensitive information, executing commands and delivering malware," she says. "The RCE vulnerability type of initial access is usually limited to the ability to run code using a specific vulnerability, which allows actors to pivot further within the targeted environment."
In about half of all listings, initial access brokers do not specify what type of access they are selling or they may just list the level of access that a buyer could gain, such as "admin or user, local or domain," she says. In other cases, brokers sell remote access to remote control software, such as ConnectWise and TeamViewer, running in a victim's organization, she says, "which can provide actors with RDP-like capabilities."
Security experts say demand for initial access brokers' services has been surging. Using these brokers can help gangs more quickly take down larger targets via what is known as big game hunting.
In 2018, the sum of all prices for access information being offered by initial access brokers was about $1.6 million and involved about 37 active sellers, says cybersecurity firm Group-IB. But by the first half of 2020, the sum of all such access being sold had increased to $6.2 million, with 63 active sellers. Of those, 52 had only begun selling access credentials in 2020, thus demonstrating an influx of new sellers. More ransomware gangs, including Ransomware-as-a-Service (Raas) operators, have shifted to big game hunting because of the return on investment that it offers. For about the same effort, hitting a larger target enables a ransomware operator to demand a bigger ransom.
Using initial access brokers helps facilitate that strategy. For example, ransomware incident response firm Coveware reported that in Q4 2020, the average ransom payment was $154,108. For many ransomware operations, which are run as profit-making illicit businesses, spending $2,000 for remote access to facilitate such a return is a no-brainer.
Historically, initial access brokers advertised their services on cybercrime forums and marketplaces. Some brokers appear to have long-term relationships with certain ransomware gangs, affiliates or middlemen, and offer them first right of refusal before making access offers available to others, Kela reports. But late last year, they reported seeing a reversal: The Darkside ransomware operation posted that it was actively seeking new partners who could give it access to US businesses with annual revenue of at least $400 million.
That was the first time researchers saw "ransomware operators offering initial access brokers the opportunity to directly trade with them" instead of leaving such relationships to "affiliates or other middlemen." Beyond seeking to build partnerships, another trend has been discretion. Many initial access brokers only supply a full list of access offers, or prices, directly to potential buyers via private communications, rather than listing all of that information on cybercrime markets.
"While such behavior always existed, there is a more recent trend that emerged these past couple of months, brokers often offer a bunch of accesses in one thread and request potential buyers contact them privately to get the whole list," according to Kela. "Some of them are looking for one buyer and state that they’re ready to work for a percentage, most likely meaning a share from the amount gained in a successful ransomware attack."
As ransomware gangs continue to innovate including hiring more specialists and using data-leaking sites to pressure victims as do individuals who can provide them with remote access to juicy-looking targets. Thus the Cybercrime-as-a-Service ecosystem continues to evolve and grow – which is not good.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
At Red Sky Alliance, we can help cyber threat teams with services beginning with cyber threat notification services, and analysis. Our analysts are currently monitoring and collecting on 60+ dark web forums, 20 ransomware forums, 49 forums and marketplaces: of which 25 are forums [info only] and 24 are marketplaces [stolen data]. We can help protect all levels of a company to avoid any network disruptions.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
Pic: TM - General Mills