Not all ransomware gangs break into targeted networks. They often purchase access to victims’ networks from other cybercriminal groups and initial access brokers (IABs) on dark web forums. IABs are cybercriminal affiliates who breach a corporate network via brute-force or phishing attacks and then sell that access to other threat actor groups.
Ransomware operators advertise their requirements, based on which the affiliates offer a variety of products and services such as malware backdoors, compromised credentials, and access to corporate systems. After analyzing various advertisements of ransomware gangs on the dark web, threat intelligence firm KELA listed the criteria that ransomware operators look at before selecting a victim.
“In July 2021, KELA observed threat actors creating multiple threads where they claimed they are ready to buy accesses and described their conditions. Some of them appear to use access for deploying info-stealing malware and carrying out other malicious activities. Others aim to plant ransomware and steal data. KELA explored what is valuable for threat actors buying accesses, especially ransomware attackers, and built a profile of an ideal ransomware victim,” KELA said.
Attackers select their ideal victim based on:
Geography – According to KELA, 47% of attackers mentioned the desired location of victims as the U.S., followed by Canada (37%), Australia (37%), and European countries (31%).
Revenue – The average minimum revenue desired/demanded by ransomware attackers is 100 million dollars.
Sectors – Nearly 47% of ransomware attackers refused to buy access to companies from the health care and education sectors. Around 37% prohibited compromising the government sector, and 26% claimed they would not purchase access related to non-profit organizations.
Access Type – Most ransomware operators are ready to buy all kinds of network accesses, with RDP and VPN being the most basic requirement. The other most common products enabling network access include Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco.
Other Key Findings
- KELA found 48 active threads where actors claimed they are looking to buy different kinds of accesses. 46% of them were created in that month, illustrating the demand for access listings.
- 40% of the actors looking to buy accesses were identified as active participants in the ransomware-as-a-service (RaaS) supply chain – operators, affiliates, or middlemen.
- Ransomware attackers are ready to pay for access, starting from $100 and ending with $100,000. The average minimum and maximum prices for access are $1600–$56,250. In addition, 32% of ransomware attackers are ready to pay a share of a ransom.
“Demand for access listings on cybercrime forums is growing, with more actors advertising, they are ready to buy entry points to networks, sites, storage, and more. This is another proof of continuing servitization of cybercrime, especially ransomware-as-a-service (RaaS) operations that rely on different specialists to perform their attacks. However, it is crucial to remember that access to a company in the wrong hands may be exploited not only for deploying ransomware and stealing data but also for other malicious campaigns,” KELA added.