The escalation of the ransomware pandemic continues to compound, prompting the inevitable question: why does it persist in worsening? The emergence of cryptocurrencies, notably Bitcoin, has given birth to a sinister criminal underbelly, offering a marketplace for the procurement of illicit substances, firearms, and disturbingly, the engagement of contract killers for hire.
In this evolving landscape, how exactly does this unsettling paradigm fuel the propagation of ransomware attacks, and more importantly, what proactive measures can individuals and organizations adopt to counteract this growing threat?
Silicon Valley for Hackers
One aspect of these black markets that is supercharging ransomware is the market for hacking services. In the past, hackers had difficulty selling their services, because of the relative ease of tracing bank transfers. Cryptocurrency is changing this, so anyone can sell criminal services online with much less risk of getting caught.
This allows hackers to specialize in much the same way as legitimate industries. For example, for many companies, it’s much more efficient to use a cloud hosting service rather than maintaining their own servers. This way, a single, highly-trained team can maintain servers for many companies rather than each company needing to train and pay dedicated staff.
Now criminals and state-sponsored hackers are achieving similar efficiency gains through specialization. Ransomware-as-a-service is one major example. Initial access brokers, which could also be called “access-as-a-service,” are another.
How do initial access brokers work?
Initial access brokers specialize purely in breaking into networks. They will use a number of strategies, including:
- Exploits. Initial access brokers search for outdated or unpatched software with vulnerabilities and exploit them to gain access to the network.
- RDP Ports. Another common tactic is to search for open RDP Ports and then attempt to brute force them. A surprising number of companies and their employees do not secure RDP ports from ransomware attacks.
- Phishing. Hackers may try to gain access by tricking employees into clicking a malicious link or downloading an attachment. Sometimes they do this by impersonating an employee or a trusted organization.
- Insider attacks. Some gangs will attempt to bribe people inside of an organization to help them gain access to a network. Disgruntled employees may also sell access.
Once the initial access brokers have gained access, they will help any other hackers to get into a network— for a price.
This means that practically anyone can gain access to corporate or government networks and attempt to conduct a ransomware attack. This dramatically increases the number of potential attackers roaming the internet.
How much do initial access brokers charge?
Initial access brokers gain information like usernames and passwords and then offer it for sale on the dark web. Prices are surprisingly cheap— one study showed that the average price of access is under $2000 USD.
This price varies according to the type of access (ie. RDP or VPN) and the size of the company. Larger companies with higher revenue and higher level access will command higher prices.
Studies also show that prices have been going down as time goes on. This is probably because there is such high demand for initial access, that more and more hackers are getting into the market and increasing competition.
What can we do about it?
All of the usual security measures can help prevent initial access brokers from entering a network, but one of the most effective strategies is to change the way we structure networks. A lot of the value of buying initial access is that once hackers are in, they can do a lot of damage.
If networks are compartmentalized, lateral movement becomes much more difficult, and the value of initial access goes down.
Another possible strategy to use against initial access brokers is the use of honey traps, or decoys. The idea is to put low hanging fruit like admin level credentials where the initial access brokers can find them. Then, when someone uses those credentials, you will immediately know about the hacker’s presence. This can be especially useful since initial access brokers can be very hard to detect.
The most important thing you can do to prevent access to your network from landing on the black market is network monitoring. Unauthorized network access will always leave signs in the logs, so it’s just a matter of having someone looking at them closely enough.
The more sensitive the data your organization handles, the more important it is to be aware of the threat of initial access brokers and take appropriate measures.