background image


What is an Initial Access Broker?


What is an initial access broker, and how are they impacting the landscape of Ransomware as a Service?

We answer all of your FAQs in today's blog:

Understanding Ransomware in 2023

As shown in numerous reports over the last few years, ransomware is an attack method employed by threat actors that is not going away anytime soon. If anything, the malicious practices and distribution of ransomware is evolving to become big business on the dark web.

Ransomware is a type of malware that encrypts its victim’s files. The threat actor then demands a ransom from the victim before they agree to restore access to the victim's encrypted data. Victims are provided explicit instructions that they must pay a fee to receive the decryption key. The costs of said ransom can range from a few hundred dollars to thousands, typically payable to cybercriminals exclusively in Bitcoin.

Those costs have been steadily increasing as a result of several factors. First, the success of the method, as a result of victims paying ransoms, even at the request of their insurers, and second as a direct result of the developing partnerships emerging around the globe.

How Dangerous is Ransomware?

Ransomware remains one of the world's top cybersecurity threats in 2023.

Organizations should be aware of the following ransomware statistics:

  • The average ransomware payment is increasing by 82% year-over-year

  • 81% of cybersecurity experts believe that sophisticated ransomware attacks are on the rise

  • Businesses fall victim to a ransomware attack every 14 seconds

  • Ransomware has become one of the most popular forms of cyberattacks, growing 350% since 2018

  • The average cost of a ransomware attack in 2023 is $1.85 million

  • By 2031, a ransomware attack is predicted to happen every two seconds

  • Ransomware accounts for 10% of all security breaches worldwide

  • On average, ransomware-related breaches took 49 days longer than other types of breaches to identify and contain

  • In the first half of 2022 alone, organizations worldwide saw 236.7 million ransomware cyberattacks

What is an Initial Access Broker? What is its Function?

Today, ransomware gangs rely on multi-level partnerships, with each tier delivering on one specific element of the larger cybercrime operation. One particular group of individuals is known as “initial access brokers.” These groups function as middlemen in a supply chain of the criminal underground, providing ransomware gangs with access to extensive collections of compromised systems, ripe for the taking.

The compromised systems typically consist of compromised systems/credentials, malware-infected systems and backdoored networking devices which allow ransomware gangs to seamlessly access corporate networks where they move laterally throughout the network and encrypt the victim’s files for ransom.

Types of Access Brokers

Initial access brokers, as previously noted, are the “middlemen” of ransomware attacks. The demand for their services continues to grow as ransomware-as-a-service, or “RaaS”, gains immense popularity. As evidence, their listings on the dark web have gradually increased over the past few years. Ransomware operators, who are looking for would-be victims, find these listings posted by initial access brokers containing often ambiguous descriptions of organizations they’ve managed to successfully breach.

Initial access brokers have become a crucial part of today’s cybercrime operations. Currently, three varieties of initial access brokers stand out as the chief sources of most ransomware attacks witnessed today including the sale of compromised systems infected with a backdoor/malware, compromised servers with Remote Desktop Protocol (RDP) exposed, and finally compromised network devices/components.

  • Backdoored Systems: First, there are sellers of computers that have already been already infected with malware. Many of today’s malware botnets will scour through the computers they have infected for systems on corporate networks and then, once identified, sell access to these valuable networks to other cybercrime operations, oftentimes, these are ransomware gangs.

  • Compromised Systems (RDP): Next, there is the criminal distribution of systems compromised via RDP. Cybercrime gangs, or cartels, are now carrying out brute-force attacks against corporate workstations and servers configured for remote RDP access that have been left unprotected on the internet, with weak credentials. These same corporate systems are subsequently sold on aptly named “RDP shops” where ransomware gangs frequently select systems they believe to be located inside the corporate network of a high-value target.

  • Compromised Network Devices: Lastly, there is the distribution of compromised network devices. Initial access brokers are also using exploits for publicly-known vulnerabilities to gain control of a company’s devices and equipment, such as VPN servers, firewalls, or other edge devices. Access to these devices, as well as the internal networks they protect/connect, is, again, brokered on the dark web or to ransomware gangs directly.

Initial Broker Sale and Distribution

After achieving a foothold, initial access brokers stealthily explore the network. Beyond initial access, they may attempt to escalate privileges or move laterally to review and assess just how much information they are able to access. Then, the initial access brokers organize their access information, bundle it up into a well-dressed product, and determine how much value it can earn them on the web.

As mentioned, such listings can be found all across all criminal forums. In fact, many forums have started to create dedicated sections for initial access listings.

In terms of price tag, the rate of each listing typically ranges from $500 to well more than $10,000 USD, depending on the level of access obtained and the organization compromised. Expectedly, access to sizeable businesses and organizations with enormous revenues will demand a higher broker cost. And in direct parallel, the greater the revenue, the greater a ransom demands.

How Initial Access Brokers Pair Hackers with Victims

When answering the question of, "What is an initial access broker?" any article would be incomplete without discussing how brokers pair hackers with victims.

Historically, one of the most common delivery systems for ransomware is carefully crafted phishing campaigns. Masquerading as an email they should trust, victims are typically exposed to ransomware via malicious email attachments or watering-hole attacks. Once these attachments are downloaded and executed, they can take over the victim’s computer and propagate within their network.

This delivery system has proven highly successful, with countless victims, individuals, and organizations falling prey to crafty campaigns designed to fool users. However, as with all successful ventures, legal or criminal, the process and delivery have evolved beyond their origin.

Necessarily, as organizations and individuals have become more aware of phishing and less trusting of their inbox contents, ransomware distribution has become increasingly complex and calculated. Where ransomware distribution once operated by launching mass email campaigns, today we see a series of multifaceted cybercrime cartels, each with specific skills, tools, and ever-expanding budgets.

The Role

Regarding advertisements on the dark web, initial access brokers must find a fine line when writing an access listing.

While on the one hand, they could detail the value of their access to draw a greater audience and drive up the cost, doing so may tip off security investigators.

These investigators may be able to identify the victim, remove access, and destroy all criminal value to the broker.


What is an initial access broker, and what is their function in the overall landscape of RaaS?

The sensitive nature of their activity and lack of detail in their listings make it challenging to identify initial access brokers. In some cases, evidence of brute-force attempts against corporate servers, failed authentication attempts, privilege escalation attempts, or lateral movement may alert security personnel ahead of the exchange; however, this is often not the case. Ultimately, initial access brokers operate without very much risk since they are not involved in the launch of the final campaign, making the operation very lucrative.

Are you looking to cement your organization's protection against RaaS and initial access brokers? Reach out today for your free, zero-obligation quote.

Ransomware Penetration Testing

Ransomware penetration testing evaluates the preparedness and risk of a ransomware attack. In addition to a complete analysis of the security program against the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374), and a technical assessment of security controls, a full penetration test is conducted to measure the robustness of your systems.