Initial Access Brokers


As shown in numerous reports over the last few years, ransomware is an attack method employed by threat actors that is not going away anytime soon. If anything, the malicious practices and distribution of ransomware is evolving to become big business on the dark web.

Ransomware is a type of malware that encrypts its victim’s files. The threat actor then demands a ransom from the victim before they agree to restore access to the victims encrypted data. Victims are provided explicit instructions that they must pay a fee to receive the decryption key. The costs of said ransom can range from a few hundred dollars to thousands, typically payable to cybercriminals exclusively in Bitcoin.

Those costs have been steadily increasing as a result of several factors. First, the success of the method, as a result of victims paying ransoms, even at the request of their insurers, and second as a direct result of the developing partnerships emerging around the globe.

Criminal Brokers: Connecting Criminals with Victims

Historically, one of the most common delivery systems, for ransomware, are carefully crafted phishing campaigns. Masquerading as an email they should trust, victims are typically exposed to ransomware via malicious email attachments or watering-hole attacks. Once these attachments are downloaded and executed, they can take over the victim’s computer and ultimately propagate within their network. This delivery system has proven itself to be extremely successful, with countless victims, individuals and organizations alike, falling prey to crafty campaigns designed to fool users. However, as is the case with all successful ventures, legal or criminal, the process and delivery have evolved beyond their origin.

Necessarily, as organizations and individuals have become more aware of phishing and less trusting of their inbox contents, ransomware distribution has become increasingly complex and calculated. Where ransomware distribution once operated by launching mass email campaigns, today, we see a series of multifaceted cybercrime cartels, each with specific skills, tools, and ever-expanding budgets.

Initial Access Brokers

Today, ransomware gangs rely on multi-level partnerships, with each tier delivering on one specific element of the larger cybercrime operation. One particular group of individuals are known as “initial access brokers.” These groups function as middle-men in a supply chain of the criminal underground, providing ransomware gangs with access to large collections of compromised systems, ripe for the taking.

The compromised systems typically consist of compromised systems/credentials, malware-infected systems and backdoored networking devices which allow ransomware gangs to seamless access to corporate networks where they move laterally throughout the network and encrypt the victim’s files for ransom.

Types of Access Brokers

Initial access brokers, as previously noted, are the “middlemen” of ransomware attacks. The demand for their services continues to grow as ransomware-as-a-service, or “RaaS”, gains immense popularity. As evidence, their listings on the dark web have gradually increased over the past few years. Ransomware operators, who are looking for would-be victims, find these listings posted by initial access brokers containing often-ambiguous descriptions of organizations they’ve managed to successfully breach.

Initial access brokers have become a crucial part of today’s cybercrime operations. Currently, three varieties of initial access brokers stand out as the chief sources of most ransomware attacks witnessed today including the sale of compromised systems infected with a backdoor/malware, compromised servers with Remote Desktop Protocol (RDP) exposed, and finally compromised network devices/components.

  • Backdoored Systems: First, there are sellers of computers that have already been already infected with malware. Many of today’s malware botnets will scour through the computers they have infected for systems on corporate networks and then, once identified, sell access to these valuable networks to other cybercrime operations, oftentimes, these are ransomware gangs.

  • Compromised Systems (RDP): Next, there is the criminal distribution of systems compromised via RDP. Cybercrime gangs, or cartels, are now carrying out brute-force attacks against corporate workstations and servers configured for remote RDP access that have been left unprotected on the internet, with weak credentials. These same corporate systems are subsequently sold on aptly named “RDP shops” where ransomware gangs frequently select systems they believe to be located inside the corporate network of a high-value target.

  • Compromised Network Devices: Lastly, there is the distribution of compromised network devices. Initial access brokers are also using exploits for publicly-known vulnerabilities to gain control of a company’s devices and equipment, such as VPN servers, firewalls, or other edge devices. Access to these devices, as well as the internal networks they protect/connect, is, again, brokered on the dark web or to ransomware gangs directly.

Sale & Distribution

After achieving a foothold, initial access brokers stealthily explore the network. Beyond initial access, they may attempt to escalate privileges or move laterally to review and assess just how much information they are able to access. Then, the initial access brokers organize their access information, bundle it up into a well-dressed product, and determine how much value it can earn them on the web.

As mentioned, such listings can be found all across all criminal forums. In fact, many forums have started to create dedicated sections for initial access listings.

In terms of price tag, the rate of each listing typically ranges from $500 to well in excess of $10,000 USD, dependent on the level of access obtained and organization compromised. Expectedly, access to sizeable businesses and organizations with enormous revenues will demand a higher broker cost. And in direct parallel, the greater the revenue, the greater a ransom demands.

When it comes to advertisement, initial access brokers must find a fine line when writing an access listing. While on the one hand, they could detail the value of their access to draw a greater audience and drive up the cost; however, doing so may tip off security investigators, who may be able to identify the victim, remove access and destroy all criminal value to the broker.


The sensitive nature of their activity and the necessary lack of detail in their listings makes it quite difficult to identify initial access brokers. In some cases, evidence of brute-force attempts against corporate servers, failed authentication attempts, evidence of privilege escalation attempts or lateral movement may alert security personnel ahead of the exchange, however, this is often not the case. Ultimately, initial access brokers operate without very much risk since they are not involved in the launch of the final campaign, making the operation very lucrative.

If you have questions about anything you read here or would like to learn more about how Packetlabs can protect your organizations, please contact us!