Ransomware has evolved into a booming underground economy — low risk, minimal barriers, and high rewards. Fueled by a sophisticated dark web marketplace, attackers now outsource critical components of their operations to specialized threat actors. Among the most notorious are Initial Access Brokers (IABs), ransomware affiliates who profit by selling direct access to compromised networks. In this post, we dive deep into the role these brokers play in enabling ransomware campaigns and why they are a prime target for disruption.
Understanding Initial Access Brokers: The Gatekeepers of Cybercrime
Partnering with IABs saves ransomware operators valuable time and resources by bypassing the effort of breaching vulnerable networks themselves. This allows attackers to focus on executing their campaigns and cultivating partnerships that enable more sophisticated, and often lower-risk, operations. While IABs existed prior to the pandemic-driven rise of remote work, the widespread adoption of remote access collaboration (RAC) tools has significantly expanded their opportunities.
IABs sell remote access to compromised systems, offering varying levels of entry to a range of cybercriminals, including ransomware operators. The growing popularity of ransomware-as-a-service (RaaS) models and the underground marketplaces that support them have made it increasingly difficult for law enforcement to track and apprehend these brokers. This lack of accountability makes the role of an IAB highly lucrative, as compromised networks, along with the tools and services needed to launch attacks, become widely accessible to malicious actors.
How Initial Access Brokers Work
IABs employ a range of tactics to expand their inventory of network access points. Common methods include:
Exploiting vulnerabilities in remote access tools like Remote Desktop Protocol (RDP) and VPN applications
Launching phishing campaigns to steal user or administrator credentials
Deploying malware on endpoints through phishing attacks
Mining credential dumps for corporate account information
Conducting password spraying attacks using common or previously leaked username/password combinations
Advertising Strategies
Once an organization’s credentials are verified and network access confirmed, IABs advertise target details to potential buyers on the Dark Web, often without directly naming the victim to avoid detection by security researchers or law enforcement. These listings typically include the level of access available and a market valuation, which ransomware operators use to estimate potential ransom demands.
Recently, IABs have shifted away from public dark web forums toward conducting business through private, invitation-only conversations. This change is driven by two key factors:
- Stealth: Increased pressure from law enforcement to crack down on ransomware families and their affiliates is causing IABs to conduct business with added caution. Multiple RaaS groups, such as the Black Matter family, dismantled their infrastructures to avoid being apprehended. These actors often re-emerge later and resume their activity under new family names.
- Job opportunities: The value IABs bring to RaaS models is causing ransomware operators to proactively seek out IABs about their offerings before they promote access to the public. RaaS operators are even going as far as to put reputable IABs on their payroll.
In addition to the minimal price tag, the critical access to systems that an IAB provides makes their services enticing to ransomware operators, especially those with limited resources. The average ransomware payment continues to increase and we can expect the demand for IABs will only grow.
What Can Enterprises Do About IABs?
For most enterprises, managing risks posed by IABs involves reducing the opportunities these actors have to exploit access points and leveraging threat intelligence to detect when access to their networks is being marketed. Key initiatives include:
Identifying and patching vulnerabilities in remote access systems
Detecting and blocking phishing campaigns and credential theft targeting enterprise accounts
Monitoring dark web marketplaces and communication channels where network access is sold
Mining credential dumps and proactively resetting compromised enterprise credentials
Connect with Fortra Brand Protection to learn how we can help you stay ahead of these threats.
