Shady deals: The destructive relationship between network access sellers and ransomware groups
October 12, 2020
Ransomware groups are taking advantage of opportunities to purchase network access on dark web forums to quickly compromise networks across a variety of industries and unleash their disabling malware. Network Access Sellers’ expertise lies in the ability to gain corporate and government network access, which they then sell to other cyber-crime groups for a handsome profit. These cyber-crime groups can use purchased network access to slash the typical difficult requirement of gaining initial access, establishing persistence, and moving laterally across a network.
Network Access Sellers typically develop an initial network vulnerability and infiltrate the victim network to gain complete corporate network access. Once that access is gained, the network access sellers sell it on dark web forums, usually for anywhere between US$300 and US$10,000, depending on the size and revenue of the victim.
The majority of network access offerings are advertised on underground forums with some or all of the following information:
The amount of information provided can occasionally lead to the identification of the victim.
Accenture CTI assesses that the network access market has been driven by the increased diversity of ways that data can be monetized. Previously, cyber criminals wishing to make a profit on underground forums primarily targeted financial data due to its ease of monetization. However, the Nikolay threat-group (aka Fxmsp) popularized selling network accesses beginning in 2018 by proving there was a large demand for their service and that regular sales could be highly profitable. Although financial data remains central to underground economies, sensitive Personally Identifiable Information (PII) and company data, or the promise of access to this data, is profitable because this data can be further monetized through direct sale or by holding it ransom.
Since the start of 2020 and the emergence of the now-popular ‘ransomware with data theft and extortion’ tactics, ransomware gangs have successfully utilized dark web platforms to outsource complicated aspects of a network compromise. A successful ransomware attack hinges on the development and maintenance of stable network access which comes with a higher risk of detection and requires time and effort. Access sellers fill this niche market for ransomware groups.
As of September 2020, we actively track more than 25 persistent Network Access Sellers as well as the occasional one-off seller, with more entering the scene on a weekly basis. Network Access Sellers operate on the same forums as actors associated with the ransomware gangs Maze, Lockbit, Avaddon, Exorcist, NetWalker, Sodinokibi, and others.
We assess with high confidence that this ecosystem will continue to thrive, so long as reputable, invite-only dark web forums provide the platform on which network access sellers and ransomware gangs can securely exchange goods and services.
Tracking network access sellers across different platforms has allowed us to observe evolving trends:
<<< Start >>>
<<< End >>>
Network access selling has progressed from a niche underground offering throughout 2017 to a central pillar of criminal underground activity in 2020. Although it is difficult to prove that an advertised network access is linked to a specific ransomware attack, from analysis of threat actor activity we assess with high confidence that some of the accesses are being purchased by ransomware groups and affiliates, thereby enabling potentially devastating ransomware attacks on corporate entities.
While compromised RDP connections remain the primary initial entry vector used by Network Access Sellers, these actors are increasingly diversifying their methods which poses a threat to current mitigation efforts, and substantially expands a corporation's exploitable attack surface.
We assess with high confidence that the relationship between initial access broker and ransomware group will continue to thrive in 2020 and beyond, earning the threat actors behind it huge profits. This symbiotic relationship facilitates continuous targeting of government and corporate entities and streamlines the network compromise process, allowing cyber criminals to act quicker and more efficiently.
Industry-wide action is necessary to disrupt this new, highly destructive ecosystem. To help reduce the risk of network compromise and ransomware attacks, businesses are advised to adhere to the following steps, where appropriate:
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.