Ransomware’s Helper: First Access Brokers Are Blooming

Cybercrime as a Service

,

Fraud Management & amp; Cyber ​​crime

,

Next Generation Technologies & amp; Safe development

In order to achieve larger goals more easily and faster, ransomware gangs are increasingly resorting to first-time access brokers who sell instant access to high-quality networks.

See also: What is Next Generation AML?

On average, such access sells for $ 1,500 to $ 2,000, says Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence surveillance firm, Kela.

« For that amount of money, threat actors typically offer midsize businesses with hundreds of employees access to domain administrators, » she says.

Types of access

Types of access

By using first access brokers, attackers can avoid the time-consuming and tedious process of finding victims and trying to hack them. Instead, they can view a menu of potential victims and pay for remote access credentials that are guaranteed to work.

Kivilevich writes in a new report from Kela that in the last three months of 2020 it counted 242 initial network access offers for sale in three cybercrime forums with a total price of 1.2 million US dollars.

During that period, Kivilevich said, the average price per access was $ 6,684, the average price was $ 1,500, and the highest single price listed was 7 bitcoins, which could have been worth around $ 130,000 at the time. However, no price was given in 24% of the offers.

Big game hunting

Big game hunting

While the number of access offers sold has decreased month by month, Kivilevich says many are currently « traded in private, » making it difficult to determine the amount and retail price of anything that is being sold.

The top-selling types of access – 45% of what is publicly available – are login information for Remote Desktop Protocols or VPNs. Details of a remote code execution vulnerability in the victim’s system, also known as RCE; and access to Citrix products, says Kivilevich.

By using RDP or VPN to gain access, « an intruder can move sideways and eventually steal sensitive information, execute commands, and deploy malware, » she says. « The nature of the RCE first-time vulnerability is usually limited to the ability to execute code using a specific vulnerability so that actors can keep spinning within the target environment. »

However, in roughly half of all listings, brokers don’t indicate what type of access they’re selling for initial access – or they just indicate the level of access a buyer might get, e.g. B. « Administrator or user, local or domain ». « She says. In other cases, brokers are selling remote access to remote control software like ConnectWise and TeamViewer that runs in a victim’s organization that » provides actors with RDP-like functionality.

Building new relationships

Building new relationships

Security experts say the demand for first-time brokerage services has increased. Using these brokers can help gangs defeat larger targets faster through what is known as big game hunting.

In 2018, the total of all access information prices offered by first-time access brokers totaled approximately $ 1.6 million and affected about 37 active sellers, according to cybersecurity firm Group-IB. By the first half of 2020, the total of all additions sold with 63 active sellers had increased to $ 6.2 million. Of these, 52 had only started selling login credentials in 2020, which shows an influx of new sellers.

More and more ransomware gangs, including ransomware-as-a-service operators, have turned to big game hunting because of the return on investment that it brings. With roughly the same effort, a ransomware operator can ask for a bigger ransom for achieving a bigger goal.

How many sales are there privately?

Using brokers for initial access makes this strategy easier. For example, ransomware company Coveware reported that in the fourth quarter of 2020, the average ransom payment was $ 154,108. For many ransomware companies running as profitable illegal businesses, it is a breeze to spend $ 2,000 on remote access to enable such a return.

In the past, first-time agents advertised their services on forums and cybercrime marketplaces. Some brokers appear to have long-term relationships with certain ransomware gangs, affiliates, or middlemen, and offer them the first right of refusal before providing access offers to others, says Kela’s Kivilevich.

However, late last year it reported a reversal: ransomware operation Darkside announced that it was actively looking for new partners who could give it access to US companies with annual sales of at least $ 400 million.

Ransomware’s Helper: First Access Brokers Are Blooming
4.9 (98%) 32 votes