Initial Access Brokers Are Key to Rise in Ransomware Attacks

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report provides an overview of the tactics, techniques, and procedures (TTPs) used by cybercriminals on dark web and special-access sources to compromise networks, deploy infostealer malware, and obtain valid credentials. These threat actors, dubbed “initial access brokers”, represent a specialized industry within the cybercriminal underground that enables a significant majority of ransomware attacks. This report includes information gathered using the Recorded Future​®​ Platform, dark web sources, and open-source intelligence (OSINT) techniques. This is a high-level summary of the chain of events that enable a ransomware attack. It is intended to provide an overview for cybersecurity professionals with non-technical backgrounds or roles.

Executive Summary

Threat actors can gain initial access to networks through infostealer malware infections, initial access brokerage services on dark web and special-access forums, or the purchase of infostealer logs from dark web shops and marketplaces. Other attack vectors, such as phishing, spearphishing, and code injection, are also common on dark web and special-access forums, but their immediate effects are often much less public and visible than the sale of compromised credentials. Using BlackMatter and Conti as examples, we examine the role of credential access in the execution of the attack, from initial access to ransomware deployment. We provide mitigations for credential breaches, infostealer malware infections, and ransomware attacks, as well as our assessment of the future of these tools and the larger ransomware threat landscape.

Key Judgments

• To conduct a successful ransomware attack, threat actors require remote access to compromised networks. The most common method by which threat actors obtain access is through the use of compromised valid credential pairs, which are often obtained via infostealer malware and sold on dark web and special-access sources.
• Compromised credentials are often sold on dark web and special-access forums and shops to ransomware affiliates, who use such access to move laterally through systems, escalate privileges, and use malware loaders to deploy ransomware.

Background

Threat actors require remote access to compromised networks to conduct successful attacks, such as malware loader deployment, data exfiltration, or espionage campaigns. These compromised access methods, often sold on dark web and special-access forums, are the work of specialized threat actors colloquially referred to as “initial access brokers” (IAB). IABs use several tools and TTPs to obtain such access, including obtaining valid credential pairs and session cookies from the successful deployment of infostealer malware, the purchase of infostealer “logs” or “bots” on dark web shops, credential stuffing, adversary-in-the-middle attacks, phishing, remote desktop protocol (RDP) “brute force guessing”, and more.

The most common credential pairs that appear for sale or auction on top-tier dark web and special-access sources, such as Exploit and XSS, are for corporate virtual private networks (VPNs), RDP services, Citrix gateways, web applications and content management systems (CMS), and corporate webmail servers (business email compromise, or BEC). Less common, but more sought-after, are ESXi root and Active Directory (AD) access methods, zero-day and n-day vulnerabilities, code injection points (HTML, SQL), and others. This report will outline the typical process by which an initial access broker obtains compromised access methods and sells them on dark web and special-access sources, and the use of such methods to conduct a successful ransomware attack.

Editor’s Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.