Ransomware actors and access brokers form lucrative relationships

When ransomware teams need access to launch their attacks, they contact initial access dealers, malicious actors who offer to sell compromised network access to cybercriminals.

As key enablers of the financially motivated cybercriminal underground, these brokers sell network access on popular cybercriminal forums, with prominent players on the scene for over a decade.

A intel report 471 examines the evolving relationship between these two parties and indicates that as ransomware continues to proliferate, operators will increasingly recognize the benefits of buying access from merchants.

Ransomware and access brokers: a cyberunderground ecosystem

Brad Crompton, CTI Director for Intel 471, explained that there are both access brokers and ransomware operators in the complex cyberunderground ecosystem, operating on forums, marketplaces and in some cases , only with trusted contacts.

“Currently within the cyberunderground, this relationship exists in two forms: opportunistic and targeted,” he said.

In opportunistic form, access brokers target organizations globally without a list of targets. They then publicly offer access for sale on several forums or underground criminal marketplaces.

“Afterwards, access is purchased, by chance, by the ransomware operators,” Crompton explained.

He added that although the targeted form is very difficult to observe and track, Intel 471 discovered that some ransomware operations have preferred access brokers that they will consistently use to gain access to corporate networks, placing them on a warrant for their services.

“It’s becoming more and more common, though, not just with ransomware operators,” he said.

Access brokers who are more concerned about their operational security (OPSEC) choose to only do business with trusted contacts in the cyberunderground, making it even more difficult for them to be tracked and thwarted.

“Additionally, these access brokers who operate in this targeted manner will either have lists of organizations that, if compromised, will notify the chosen buyer of the access they have acquired, or will actively try to compromise business listings for their buyers,” he said.

Intel 471 also identified ransomware blog posts before access brokers offered access to the same organizations.

Crompton said it’s also possible that access brokers are working with the ransomware group and/or their affiliates to identify relevant information about the compromise. This, in turn, creates an opportunity for access brokers to subsequently use the information after an organization has been compromised.

John Bambenek, principal threat hunter at Netenrich, a SaaS security and operations analytics company, pointed out that in many ways the cybercrime ecosystem has developed similarly specialized “career areas.” way that cybersecurity has developed specializations.

“That means there are many other partnerships and boutique players helping a variety of groups,” he said. “Getting initial access is a specialized skill set, much like cryptocurrency money laundering and ransomware development are skill sets. This specialization makes the ecosystem more resilient and harder to bring to justice. .

He said more steps are needed to achieve the overall ransomware goal, which means there are additional points of interdiction and detection.

“PowerShell and GPOs are the soft underbelly of most organizations,” he explained. “If you tightly control those two things so that nothing can be rolled out enterprise-wide without strong controls, you’ll be fine.”

Bambenek added that ransomware is, fundamentally, the only true disaster recovery event that organizations will need to prepare for.

“You can prevent most ransomware, but attackers are constantly evolving,” he said. “What you can prepare for is having a fast disaster recovery process and making sure your staff is dusting off those CISSP books.”

Ivan Righi, principal cyber threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, noted that the whole process of ransomware has become more like a legitimate business and groups are learning the easiest ways. more effective in carrying out attacks.

“It’s faster and more profitable for ransomware groups to simply buy lots of access and carry out multiple attacks at once instead of spending a lot of time trying to break into a single organization,” he said. -he declares. “This means attacks are moving away from ‘big game hunting’ and we’re seeing smaller organizations more frequently targeted by ransomware groups.”

Righi added that large ransomware groups will likely try to recruit more initial access brokers into their operations in the future.

“By working with these threat actors, ransomware groups can increase the number of attacks they carry out, which translates to higher profits and a more visible brand,” he said. “These relationships are likely to continue to evolve and further professionalize the ransomware industry.”

To protect against these attacks, it is essential that organizations monitor criminal sites for asset-related exposures, such as stolen credentials or access offers.

Organizations should also ensure that two-factor authentication (2FA) is enabled whenever possible, minimize the attack surface of remote services, adopt a risk-based approach to vulnerability management, and remediate regularly. high-risk vulnerabilities.

“Protecting against these threat actors means shutting down as many attack vectors as possible,” Righi said. “While it’s impossible to shut down all attack vectors, organizations that make themselves harder targets are less likely to be targeted and threat actors will generally move on to easier targets.”

Crompton said that over the next six to 12 months that relationship is unlikely to change, with more “veteran” access brokers continuing to do business only with ransomware groups.

“However, as new ransomware variants are developed, we are likely to see access brokers doing business with multiple groups to maximize their profits,” he explained. “Furthermore, as new players take on the role of access broker within the cyberunderground, it is highly likely that we will see more businesses affected, which in turn will likely lead to more large number of ransomware events.”

He added that it is also possible that ransomware operations will actively incorporate, if they have not already done so, the role of access merchants in their operations as a singular job for which they will receive a share of the profits. , just like ransomware affiliates.

“In terms of IT security evolution, the most important thing will be to increase cybersecurity mechanisms throughout the organization and use a CTI provider to stay ahead of the curve,” he said. he declares. “Prevention is better than cure and IT security is no different.”