Back in March 2021, Digital Shadows (now ReliaQuest) published a research report titled Initial Access Brokers: An Excess of Access, analyzing more than 500 access listings across 2020 and initiating a discussion around the figure of Initial Access Brokers (IABs). Ever since, IABs have consolidated their role in the cybercriminal landscape and have now become a fundamental figure in the Ransomware-as-a-Service (RaaS) business model.
At the end of Q1, Digital Shadows (now ReliaQuest) had analyzed over 200 new listings and provided a detailed examination of the data observed in dark web criminal forums, noticing an upward trend compared to 2020. Digital Shadows (now ReliaQuest) are continuing to monitor these criminal actors to extract valuable insights into the victimology, the modus operandi, and the functioning of this complex environment.
Today, we will analyze the data gathered over the second quarter of 2021 and comprehend them in the context of the most recent developments in the ransomware landscape. Trust me; there’s a lot to unpack, so let’s start right away.
What’s been happening in the past months?
As you will probably remember, the second quarter of 2021 began with the DarkSide’s ransomware attack on Colonial Pipeline that disrupted the operations of the US energy operator for several days. Colonial Pipeline was distributing almost half of the oil-related fuels on the American East Coast. This campaign represented a severe cyberattack against critical national infrastructure (CNI) in the United States.
As predicted, this attack resulted in a swift response from US law enforcement agencies that managed to seize part of DarkSide’s Bitcoin funds and the ransomware gang disappearing from the scene. But something possibly more important for the broader ransomware landscape happened when cybercriminal forums like XSS and Exploit decided to ban all things ransomware to avoid unwanted attention from security researchers, journalists, and law enforcement agencies. This means that ransomware gangs’ operators and affiliates were widely banned from these platforms and discussions around ransomware were deleted, too.
A question inevitably arises: what happened then to IABs?
This development in the ransomware landscape didn’t entirely disrupt IABs’ operations. In fact, theoretically speaking, the accesses sold by IABs could be used for a broad array of malicious purposes (think about wiping data, installing crypto miners, deploying spyware, etc.) and rarely specifically mention ransomware. However, as we all well know, ransomware is clearly one of the most profitable criminal enterprises you can set up with those accesses and is undoubtedly the most common use for threat actors.
Consequently, IABs kept doing their work undisturbed most of the time. We’ve observed some IABs moving to other cybercriminal forums, and others have moved their business infrastructure to private messaging channels. Additionally, we’ve observed ransomware groups avoiding outright mentioning the purpose of their criminal program and attempting to recruit for IABs with careful wording to avoid being banned.
Despite all the changes just mentioned, the market for IABs listings hasn’t decreased at all in the past three months. On the contrary, in Q2, Digital Shadows (now ReliaQuest) collected over 250 accesses, an increase from the first quarter of 2021, listed for an average of $2,578 per access (a slightly higher number than the last quarter, which was $1,923).
North America and Europe remain the most targeted regions
As we observed in our previous reports on IABs, North America and Europe have remained the most targeted regions by these actors, with a combined 70% of the total listings observed in Q2. While victims in North America were mostly based in the United States, the European targets were evenly spread out among several countries. The most targeted European country in Q2 was France, soon followed by the United Kingdom, Italy, and Germany.
American companies were the most targeted by Initial Access Brokers in this quarter, comprising 39% of victim listings in cybercriminal forums— Photon Research
Companies based in North America were also the most financially rewarding for IABs, with an average cost of $3,114 per access. Asian organizations soon followed with an average of $2,824, along with the Middle East ($2,523) and Europe ($2,044). On the other hand, listings were particularly cheap in Australasia ($600) and South America ($474).
Access to Financial Services companies becomes the most expensive
No specific vertical emerged as heavily targeted, hinting at these cybercriminals’ indiscriminate nature. Initial Access Brokers often go for the “low-hanging fruit” in the security landscape to optimize their chances of gaining access. Therefore, the landscape of the industries being targeted the most by Initial Access Brokers in Q2 was evenly distributed.
Although no industry vertical was significantly distinct in the amount of targeting from its counterparts, it would be a mistake to think that IABs don’t differentiate between geographical representation and average price. The geographical region of the targeted organization and the access type associated with the listing heavily influence the price asked by IABs.
The Retail sector was the most targeted and maintained the second-highest average price per access in Q2 – Photon Research
As you can see from the graph above, we observed the Financial Services industry overtake the Energy, Oil, and Gas sector as the most expensive within IABs’ listings in Q2. On average, an access to an organization operating in the Financial Services sector amounted to $5,518 per access – more than $3,000 more per access, compared to our Q1 data. Another impressive bit of data comes from the Retail sector, where the average price of a single access skyrocketed to $4,404 after an average price of $558 in the first quarter of 2021.
Remote working tools persist as IABs’ favorites
As we initially wrote in our blog on the Targets And Predictions For The COVID-19 Threat Landscape, remote working tools such as Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) are at high risk of being compromised and exploited by threat actors that attempt to capitalize on the developments caused by the COVID-19 pandemic outbreak. According to our data, this observation remains very much true as these two tools make up for more than two-thirds of the total accesses advertised by IABs in Q2.
Access via VPN and/or RDP comprise 70% of the total listings observed over Q2 – Photon Research
Since we’ve started to produce research on IABs, RDPs have been central in our analysis. Cybercriminals can easily scan the internet to find exposed RDPs with weak credentials to leverage for their malicious operations, as we discussed in our blog titled Mapping MITRE ATT&CK To Compromised RDP Sales. The same mechanism can be applied to VPN, a utility that has become increasingly popular since the pandemic outbreak in the early months of 2020.
Mitigation strategies and further actions
This quarterly analysis of IABs’ listings provided further insights into this cybercriminal category’s evolving landscape. Constantly observing how the IABs environment evolves over time is key to understanding trends and patterns in this malicious activity, along with offering precious insights into how ransomware actors behave over time. Looking ahead, one of the most intriguing aspects of this phenomenon relates to the price and the variety of access types being used by IABs over the coming months.
Monitoring its evolution over time and IABs’ preferred techniques can significantly help security professionals prioritize their efforts to reduce their attack surface and digital exposure. The wide variety of industries and countries targeted means that any company is at risk of being targeted by these cybercriminals. Additionally, IABs tend to pick their victims based on opportunistic calculations. This means that making yourself a difficult target for the least sophisticated actors is one of the best defense strategies against these cybercriminals. If you’re interested in specific mitigations for several access types, feel free to download our free Initial Access Brokers research report.
Having an in-house or out-sourced Cyber Threat Intelligence team monitoring the surface, deep, and dark web can go a long way in identifying relevant listings and observing access trends. If provided with timely, relevant, and actionable intelligence, defenders can prioritize security efforts toward the most significant threats. If you’d like to see your exposure and get access to a threat intelligence library of threat actors relevant to your industry and geography with suggested mitigations, get a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for free here.