Label

Credential Markets and 
Initial Access Brokers

Initial Access Brokers (IABs) are the threat actors who sell access to ransomware (and other cybercriminal) groups, as one of the cottage industries that has seen tremendous growth thanks to ransomware.
Home » How Does Ransomware Work? » Active Defense Intrusion » Credential Markets and Initial Access Brokers

In This Section

IABs and Ransomware

Despite the rapid growth of this cybercriminal activity of Initial Access Brokers (IABs), relatively little is known about the size and scope of the market. Estimates range from $2.4 million in 2020* (Footnote 1) to almost $5 million* (Footnote 2) in the same year. Both of those estimates are likely low, as a lot of IABs prefer to communicate over private channels rather than sell their offerings in public.
As challenging as it can be to track IABs, trying to get a handle on this market is important because it acts as a force multiplier for ransomware affiliates. If the ransomware affiliates don’t have to spend their time scanning victims’ sites and gaining initial access, it allows them to target more organizations at a time and increases their chances of success.

The Growth of IABs Is 
Directly Tied to Ransomware

IABs have been around for ...

... more than a decade, but until late 2019 or early 2020 they were really a niche offering. Most ransomware actors didn’t need direct access to a victim network, as they deployed the ransomware on a single machine. Other types of cybercriminals, such as Carders—cybercriminals who steal credit card information to sell or make purchases—often rely on access to credit card processing networks to steal data. But, most cybercriminals were fine using automated tools to steal the data they needed.

The move to "Big Game Hunting" tactics ...

... in 2018 and 2019 by ransomware actors, along with the increase in the number of Ransomware-as-a-Service (RaaS) offerings, led to increased interest in IABs. IABs went from a niche service to one that's necessary for ransomware to continue at its breakneck pace, and IABs became very much in demand. At any given time, across dozens of underground forums, there are ads for access to hundreds of IAB companies.

And those are just the low-level IABs.

Once IABs have proven themselves or sold multiple accesses to ransomware groups and their affiliates, the IABs are sometimes recruited to work directly for the ransomware operators . When that happens, the IAB stops advertising publicly on underground forums (but, as with other cybercriminal activity, there’s always someone to take their place).

Beyond those ...

... who work directly for ransomware groups, some of the most experienced IABs operate on private channels. These IABs have built up enough repeat business that they no longer want to operate openly.

IABs only sell their access to a single buyer ...

... (at least if they want repeat customers). The reason for this is that having two different cybercriminals conducting attacks, possibly using similar toolsets, increases the likelihood of detection or, at the very least, increases the likelihood that a tool conflict will cause a Blue Screen of Death (BSoD) and both cybercriminals will lose access.
Posts from XSS (formerly DamageLab) forums looking to buy access to organizations or companies (left side is the original Russian, right side is the English translation)
IABs are in so much demand that advertisements looking to buy initial access often outnumber advertisements looking to sell initial access. The image above shows a series of posts in the “ДОСТУПЫ” (ACCESSES) section of the well-known Russian hacking forum, XSS. The majority of the recent posts on that day were from forum users looking to buy access to organizations or companies, as supply has outstripped demand.

This image shows a typical ...

... advertisement selling access. This example is also from the XSS forums and was originally written in English. 

The seller wants to provide just enough information to make the target attractive, but not so much info that outsiders can figure out who the victim is.
A user on the Russian XSS forum selling access to the network of a state government

Forum members have gotten wise ... 

... to the activity of governments and threat intelligence companies, who monitor the forums looking for exactly these kinds of advertisements. When the anti-ransomware organizations recognize a victim, they warn them to look for an intruder on their network and remove them, likely as quickly as possible before the access is sold.

Early on, IABs would often ...

... take text directly from a victim organization’s website to describe the victim in the ad. But it became too easy for threat intelligence companies and governments to figure out who the victim was and notify them. IABs have had to alter their descriptions so as not to reveal too much.

Because the subject line is “US State Gov Access” ...

... the Multi-State Information Sharing and Analysis Center (MS-ISAC) would've seen it and notified its members to watch out for this potential intrusion. Further down the thread, the seller offers to share proof of the type of credentials collected or accesses available from the target.
Same thread as the image above, where the seller is offering to share samples
Buyers will often ask for proof of the available access to verify that it’s legitimate, especially if the seller isn’t widely trusted. Law enforcement and other analysts that monitor these forums also ask for sample data to see whether they can use the additional information to determine the identity of the victim and warn them.

This image shows another example ...

... of an advertisement. This one was also posted in English, for a hotel in the United States. This seller collected samples and network information and was offering to share it via private message only. This is a safety precaution used by more experienced sellers, it allows them to vet potential buyers to ensure they are, for lack of a better term, “legitimate.” In other words, the seller is attempting to weed out law enforcement and security researchers, so they don’t accidentally lose their access before they sell it.
XSS forum advertisement for access to a hotel in the United States (name of the hotel blacked out to protect anonymity)

This seller saw much faster success ...

... than the seller in the ad in the second figure. This  seller posted their ad late Tuesday and by Thursday of that same week had sold the access. That’s a relatively quick turnaround for a seller who had registered on the forum less than a month before posting the advertisement—and this was their first post. The fact that they were selling access to a potentially lucrative victim helped drive the sale.

Ordinarily, a new user like this ... 

... offering remote access for sale would be met with some level of skepticism or have a higher bar to prove they’re “legitimate.” But IABs are in such high demand right now that even experienced cybercriminals will often trust newer users hoping to line up their next victim quickly.
Of course, these underground or hacking forums have a feedback system, a lot like eBay. If this user gets enough complaints or negative reactions, they’ll quickly lose the trust of the community and likely be banned from the forum (but like eBay, banned users can simply make a new account and jump back on).

The Size of the Underground 
Stolen Credential Market

While the growth of the IAB market can easily be tied to ransomware, the credential marketplace existed long before ransomware became popular and will be around as long as services require usernames and passwords. Ransomware actors and IABs rely on stolen credentials, too. But ransomware is only one use of the stolen credential market.
By some estimates, there are as many as 15 billion stolen credentials being sold on underground marketplaces. That estimate is simultaneously inflated and underreported. It’s inflated because many credential dumps, as they’re often called, are simply repackaged from older credential dumps. Every now and then a story will go around about how a threat actor is trying to sell a database they claim contains X billion usernames and passwords. When the data is examined it almost always contains information from earlier breaches, repackaged and presented as new. That being said, the number of stolen credentials available is also underreported because no one organization has a complete view of underground markets, especially those that require special access. So, there are many credential dumps being sold that are only seen by a small group of people.
Advertisement on Raid Forums selling access to users of a Mexican bank
Another advertisement on Raid Forums selling access to “high quality” Bulgarian databases. An example of a country-specific credential dump. These credentials could be stolen from government agencies or organizations specific to the country.
Similar to IAB advertisements, credential advertisements can be found in many underground markets. The above figure is an example from Raid Forums in which the seller is offering customer data from a Mexican bank. With credential dumps, the seller often has to include more information to entice buyers. Unlike IAB sellers, though, sellers in credential markets will sell to more than one buyer. While a lot of IABs prefer not to attract attention because it may risk the access they're trying to sell, many credential sellers, like the one above, want the attention. They thrive on the notoriety because it brings more buyers to their sale.
Advertisements like these appear across many hacking or underground forums, making it trivial to find access to almost any organization that has email addresses.
Executive Corner

Employee Credentials Are Being Sold 
in Credential Marketplaces

Even though it’s almost impossible to know the true number of leaked credentials available on underground markets, everyone agrees it’s a lot. This means that your organization has quite likely leaked credentials for sale somewhere. Every leaked credential is a potential ransomware attack.

You need to start scanning for these leaked credentials and take measures to reduce risk when they’re discovered. Unfortunately, too many organizations aren’t doing this, which means they’re at higher risk for a ransomware attack. If your organization already uses a threat intelligence service, they can most likely provide you with that scanning service. If not, there are a number of free or low-cost offerings that can alert you to new credential leaks for everyone in your domain.

One offering available to everyone is Troy Hunt’s “Have I Been Pwned HIBP)” Domain search offering, which will send you alerts anytime someone from your organization appears in a credential dump.

Password Reuse

The reason that credential dumps are such an effective initial access vector for ransomware and other cybercriminal groups is that people tend to reuse passwords, even passwords for their work-related resources and tools. Even if an organization itself isn't breached, employees often use their work email addresses to sign up for outside services and use the same password for both work accounts and outside services. If that organization is breached, it could result in a ransomware actor having multiple credential pairs to try to gain initial access.

The rapid increase in the use of ... 

... remote access during the COVID-19 pandemic has made password proliferation worse for most people. Researchers found that at the end of 2020, people had an average of 100 passwords to remember, up 25% from the beginning of the year. Remembering all of those passwords is almost impossible, which is why most people reuse passwords, or use a password manager.
Some of the challenges associated with password reuse can be mitigated with password rotation policies. Now, many security experts, along with both Microsoft and NIST, advise against password rotation policies contending that there's “… no point to forced password changes …” There are two problems with password rotation policies:
They add to the number of passwords users have to remember, exacerbating the problem
People usually find shortcuts to circumvent the policy

To the second point, many users ...

... who are forced to change their password every 60 or 90 days stick with a base password and add an identifier after. So, if the name of their dog is Friskey, their password for the year will be FriskeyQ12022, FriskeyQ22022, FriskeyQ32022, and FriskeyQ42022. An IAB or ransomware actor who uncovers an employee password in a credential dump that’s something like FriskeyQ42015 knows that, if the employee is still at the same place, their password will likely follow the same pattern.

It seems like a contradiction to say ... 

... some challenges can be mitigated with a password rotation policy and then point out that the best advice out there is to not have a password rotation policy. Both statements can be true. If an organization isn’t going to implement the other steps outlined in this section to protect against password stuffing/reuse attacks, password rotation provides a little bit of added protection. The better option is still to implement the solutions outlined here.
Credential monitoring combined with multifactor authentication and single sign-on environments can alleviate many challenges associated with credential reuse, as can providing employees with access to password managers.

Want More Like This 
Delivered Right To Your Inbox?

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too!

How IABs and Ransomware Actors 
Use Stolen Credentials

In September 2019, the Northshore School District in Washington State was hit with Ryuk ransomware. The school district wound up not paying the ransom and spent months recovering. Twice in the months leading to the ransomware attack, remote access to the network was listed for sale in underground forums. It’s likely that if Ryuk hadn’t used the credentials for initial access, another ransomware group would have.

On April 29, 2021, a REvil affiliate or IAB ...

... used a login and password discovered in a password dump to log into a VPN belonging to Colonial Pipeline. The employee associated with that account no longer worked there, but the account hadn’t been deactivated on the VPN and multifactor authentication wasn't implemented. On May 7, 2021, eight days later, REvil or one of its affiliates launched a ransomware attack against Colonial Pipeline that started a domino effect, leading to gas stations up and down the East Coast of the United States to run out of gas, though most of the shortage was caused by people panic buying gasoline.
The irony is that the ransomware group was likely not targeting Colonial Pipeline, they were looking for any exposed system they could log into. It’s possible to offer informed speculation, based on the initial access for similar ransomware attacks: The IAB or affiliate was probably scanning for certain systems, perhaps the VPN used by Colonial Pipeline. They found VPN systems that were exposed to the Internet and that they could log into or, more accurately, found thousands of matches. They started going through those targets looking for a victim that might result in a large ransom payment. They saw Colonial Pipeline and searched for Colonial Pipeline in credential dumps. Given that Colonial Pipeline has almost 900 employees, they probably found dozens of credentials. The IAB or affiliate tried all of the credentials until they found a match.

Remember that ransomware groups ... 

... for the most part, don’t target specific organizations. Instead, they target technologies they can exploit, use credential stuffing, or launch credential reuse attacks against. But ransomware groups are sophisticated enough to distinguish between good and bad potential targets, as discussed on the "Anatomy of a Modern Ransomware Attack" page. After completion of the scans launched by the IAB or affiliate are, they attacker is going to go through the list of potential targets and cherry-pick the victims that are likely to be the most profitable or easy to access.

Credential dumps can also be useful ...

... during the reconnaissance phase of a ransomware attack. Although ransomware groups have a lot of useful tools that allow them to get administrative access to networks, those tools often create a lot of noise in the organization’s logs. If the ransomware affiliate can find administrative credentials in a credential dump, it makes reconnais-sance a lot easier. They can use those credentials to create more administrative accounts and further solidify their access while stealing files, before launching ransomware.
Another way that ransomware actors can gain needed credentials is through phishing campaigns, which is discussed on the "Phishing Attacks" page.

Read The Rest Of The 313 Page Book:
Ransomware: Understand. Prevent. Recover
Download It For Free.

Get the Book 
in Your Inbox

Download The 
"Ransomware Backup Strategy"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "Ransomware Resistant Backup Strategy" resource on your site or blog using this code.

Share this Infographic On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading ...
READ MORE ABOUT PHISHING ATTACKS 
Footnote 1 - PTSecurity 
Footnote 1 - Ke-La.com
© Future US LLC, Full 7th Floor, 130 West 42nd Street, New York, NY 10036
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram