Irish Information Security Forum

Initial Access Brokers Key to Rise in Ransomware Attacks

Source: recordedfuture.com


This report provides an overview of the tactics, techniques, and procedures (TTPs) used by cybercriminals on dark web and special-access sources to compromise networks, deploy infostealer malware, and obtain valid credentials. These threat actors, dubbed “initial access brokers”, represent a specialized industry within the cybercriminal underground that enables a significant majority of ransomware attacks.


This report includes information gathered using the Recorded Future ® Platform, dark web sources, and open-source intelligence (OSINT) techniques. This is a high-level summary of the chain of events that enable a ransomware attack. It is intended to provide an overview for cybersecurity professionals with non-technical backgrounds or roles.


Executive Summary


Threat actors can gain initial access to networks through infostealer malware infections, initial access brokerage services on dark web and special-access forums, or the purchase of infostealer logs from dark web shops and marketplaces. Other attack vectors, such as phishing, spearphishing, and code injection, are also common on dark web and special-access forums, but their immediate effects are often much less public and visible than the sale of compromised credentials. Using BlackMatter and Conti as examples, we examine the role of credential access in the execution of the attack, from initial access to ransomware deployment. We provide mitigations for credential breaches, infostealer malware infections, and ransomware attacks, as well as our assessment of the future of these tools and the larger ransomware threat landscape.


Key Judgments


  • To conduct a successful ransomware attack, threat actors require remote access to compromised networks. The most common method by which threat actors obtain access is through the use of compromised valid credential pairs, which are often obtained via infostealer malware and sold on dark web and special-access sources.
  • Compromised credentials are often sold on dark web and special-access forums and shops to ransomware affiliates, who use such access to move laterally through systems, escalate privileges, and use malware loaders to deploy ransomware.





Threat actors require remote access to compromised networks to conduct successful attacks, such as malware loader deployment, data exfiltration, or espionage campaigns. These compromised access methods, often sold on dark web and special-access forums, are the work of specialized threat actors colloquially referred to as “initial access brokers” (IAB). IABs use several tools and TTPs to obtain such access, including obtaining valid credential pairs and session cookies from the successful deployment of infostealer malware, the purchase of infostealer “logs” or “bots” on dark web shops, credential stuffing, adversary-in-the-middle attacks, phishing, remote desktop protocol (RDP) “brute force guessing”, and more. The most common credential pairs that appear for sale or auction on top-tier dark web and special-access sources, such as Exploit and XSS, are for corporate virtual private networks (VPNs), RDP services, Citrix gateways, web applications and content management systems (CMS), and corporate webmail servers (business email compromise, or BEC). Less common, but more sought-after, are ESXi root and Active Directory (AD) access methods, zero-day and n-day vulnerabilities, code injection points (HTML, SQL), and others. This report will outline the typical process by which an initial access broker obtains compromised access methods and sells them on dark web and special-access sources, and the use of such methods to conduct a successful ransomware attack.


Download Report

initial access brokers ransomware attacks



If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:

By post:

C/O David Cahill

An Post

Information Security
GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland

secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy Statement  - Cybersecurity Ireland  - Sponsorship  - Produced by
LinkedIn Twitter