Financially motivated hackers look into selling high-value targets

Initial access brokers become more popular in the cybercrime world: targets in the US mostly

Initial access brokers make profit Initial access brokers become the major part of the eCrime threat ladscape

Threat actors rely on infecting machines, breaching particular corporate networks with goals of future attacks. Reports show that advertisements with such services surfaced.[1] These brokers can be a vital link in the chain of cybersecurity attacks.

Such a business model allows threat actors to sell access to the valuable networks and allow other criminals to deploy ransomware attacks,[2] launch other malware, perform espionage attacks, perform other malicious processes. Such major attacks can end with serious consequences.

It has been seen that actors sell such access to other networks for $1,500. The sum may vary depending on the location of the organization, size, type of the sector. Some of the more often targeted countries are UK and US. The average price in the dark we forums and markets for the initial access here can go up to $4,000 and more.

The United States takes more than half of all the initial access offering in the dark web markets

Researchers at CrowdStrike[3] listed the main targets and revealed more on access brokers why have become a key component of the eCrime threat landscape. It is not so surprising, but these brokers often make established business relationships with ransomware-as-a-service[4] threat groups. These threat actors have been advertising their services since at least 2019 and set various trends among cybercriminals.

The top 10 of the targeted countries here are:

  • USA
  • Brazil
  • Canada
  • France
  • UK
  • UAE
  • Germany
  • Australia
  • Italy
  • Switzerland.

Initial access brokers can target various sectors here, and mainly their focus is on financial extortion, data exfiltration, or cyber espionage methods. The most profitable sectors are technology, energy, healthcare, financial services, or government-linked, so threat actors keep their focus here.

Does the chain of attacks end with ransomware and money extortion?

Ransomware is one of the major consequences of initial access attacks like this. Often any minor hacking and breach can end up with a ransomware attack since cybercriminals mainly focus on financial gains. Victims of cryptocurrency extortion-based ransomware threats experience various issues and losses like permanent data damage or financial losses when those ransom payments do not transfer into data recovery guarantees.

It is believed that payments can help get those files and stop the ransomware attack entirely. However, a ransomware attack is not ending with the ransom note and the first payment demand. Attackers extortion money with the double-extortion methods.[5] Also, threat actors rarely recover those files after the payment.

Almost half of the paying victims cannot retrieve those encoded files back still is lose money and files. Nowadays the triple-extortion is even more popular, and 85% of these attacks include the method, so people still get extorted more money with the claims about publishing data obtained from the machine.

This information that ransomware threats can exfiltrate from the infected machines can be exposed publicly and often gets breached. In addition to that, criminals make a profit by selling valuable details on the dark web. Ransomware developers are not worthy of the trust, so users and larger entities suffering these attacks should try to ignore any messages and make sure to repair files with alternate methods since there are no universal solutions here.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions