What are Initial Access Brokers?

Ransomware attacks are on the rise and for the victims of these crimes it is a costly problem. For players on the other side, however, the trend offers new ways to make money. An example is the role of the initial access broker.

The most profitable ransomware attacks can only be carried out by accessing a secure network first, and cybercriminals don’t always have the ability to pull this off. Instead, they can purchase the necessary access from a broker.

So what are initial access brokers and how can you protect yourself from them?


What are Initial Access Brokers?

Initial access brokers are malicious actors who provide access to secure networks for a fee. They are often hackers, but they can also access networks using social engineering.

Their motivation is not to carry out cyberattacks themselves but rather to sell access to another party. Due to the profitability of ransomware attacks and other cyber attacks, there are many potential buyers for such a product.

This allows initial access brokers to make significant profits even if they only play a minor role in cybercrime as a whole.

How Initial Access Brokers Get Access

Initial access brokers use a variety of techniques to gain access to secure networks. If a network uses outdated software, hackers may be able to break in quickly. They may also attempt to determine user credentials using brute force techniques such as password spraying. Or they may try phishing or spear phishing attacks against known users.

USE VIDEO OF THE DAY

What types of access do they sell?

Initial access brokers primarily sell user credentials. Once obtained, they allow their holder to access a network in the same way as a legitimate user.

User credentials are mainly sold for remote desktop protocols and VPNs. Some initial access brokers also take the idea further by installing remote management software on compromised servers. The credentials for this software are then sold to provide convenient access.

After purchasing credentials, an attacker can search for valuable information, possibly disable security features, and possibly install any program of their choice. In other words, credentials can be used to launch a wide range of cyberattacks.

Who buys from initial access brokers?

Initial access brokers primarily sell to ransomware operators. They sell to the highest bidder and ransomware tends to be the most profitable way to use their product. But the initial access can also have value for other parties. If a server contains confidential information, user credentials may be purchased for the purpose of obtaining them.

Initial access brokers sell their products on dark web marketplaces. Their product pages include information such as server type, access level, and revenue from the company the server belongs to. This makes it easy for cybercriminals intending to launch a specific type of cyberattack to find appropriate credentials for that purpose.


The price of initial access varies from less than one hundred dollars to several thousand. Credentials are usually priced based on the revenue of the company owning the network.

How Initial Access Brokers Are Causing an Increase in Ransomware Attacks

Ransomware is not a complicated software product. It is also widely available for purchase on the dark web. Many ransomware operators are not expert hackers. They are ordinary people in possession of a powerful tool.

The ability to make money from ransomware is therefore not dictated by technical ability or even access to the software. It is limited by the fact that it is difficult to find networks on which to carry out attacks.

Large organizations spend large sums of money securing their networks precisely for this purpose. Drilling therefore requires a lot of effort and many infiltration attempts prove unsuccessful.


Initial access brokers remove this barrier to entry. They settle down and announce that they’ve already done all the hard work. For a small fee (compared to the potential profits), anyone can access the network of an otherwise professional organization.

This has significant effects on the ransomware industry as a whole.

It provides an efficient division of labor allowing all parties to focus on what they do best. Hackers can monetize their ability to gain rapid access to networks, and ransomware groups can focus exclusively on the extortion side.

It also allows people with limited technical expertise to carry out attacks without learning anything. Ransomware is often sold with user instructions and customer support. The initial access brokers then provide the user credentials needed to take advantage of it.

Another problem with initial access brokers is that they add another layer to the ransomware industry. If the author of a ransomware attack is prosecuted, the original access broker who provided the access is unlikely to be prosecuted and vice versa. This makes tracking down and preventing ransomware attacks more difficult overall.

How to Protect Against Initial Access Brokers

Initial access brokers don’t target individuals, it’s just not profitable to do so. Instead, they target businesses. If you are in charge of a potentially valuable network, there are many steps you can take to make access more difficult.

  • All software should be kept up to date with patches installed immediately after release. This prevents malicious actors from exploiting known vulnerabilities.
  • Anyone with access to a network should be aware of the threat posed by phishing and spear phishing emails.
  • The use of strong passwords should be enforced for all users. Users should also be prevented from using the same password in multiple accounts.
  • The use of multi-factor authentication should be reinforced. If access to a network requires an additional form of authentication, the user’s stolen credentials are rendered ineffective.

Initial access brokers are a significant threat to be aware of

Initial access brokers pose a significant threat that businesses should be aware of. Once they gain access to a network, they advertise the opportunity on the dark web and hand out the credentials to the highest bidder.

This gives the buyer the opportunity to steal information or install ransomware that requires a large financial outlay to fix.

To prevent this type of intrusion, it is important to secure networks by regularly updating software and ensuring that all users act responsibly.


Masked man in black sitting at a computer in a dark, blue room lit by a screen

How Hackers Use Our Own Technology Against Us

Read more


About the Author