Monitoring Network Access Sales for Impending Ransomware Attacks

5 minute read

While law enforcement authorities scored big wins against the cybercriminal groups Egregor and Netwalker earlier this year, ransomware attacks remain a persistent threat to the security and reputation of organizations around the world. In March 2021 alone, ZeroFox recorded over 160 targets who were “named and shamed” across 15 different data leak sites run by ransomware operators engaged in double extortion, an increasingly popular tactic of exfiltrating data before crypto-locking a network and threatening to release sensitive stolen information on the dark web. Yet the success of even an illicit business like ransomware still relies on the quality of its people for day-to-day operations. 

Rise in Ransomware

The first quarter of this year continues to show the outsized importance of specific buyers and sellers of network access, increasingly known as “Initial Access Brokers” (IABs), in the supply chain of ransomware attacks. Given the close business relationship between these brokers and ransomware operators, identifying a potential network access sale may give critical early warning for an impending ransomware attack.

Figure 1: Number of ransomware victims per family in March 2021

Initial Access Brokers

In recent years, ransomware operators are increasingly dependent on purchased initial access to gain a foothold into targeted networks, from which they can then perform the lateral movement to advance their access privileges and deploy their attacks. Using initial access brokers enables threat actors to avoid the time-consuming, laborious process of finding victims and attempting to hack them. Many cybercriminal groups have started affiliate programs, such as Avaddon on Exploit, to entice the best hacking talent to work with them on ransomware operations. A steady stream of initial access to various networks is negotiated in exchange for a cut of the profits from ransom payments. Another prolific operator, Revil, even provided close to a million dollars to XSS in September 2020 as part of a new recruitment drive for partners.

Figure 2: Advertisement on a popular hacking forum from the ransomware operators, Avaddon

Network Access Sales Explained

ZeroFox most frequently observes public-facing sellers offering access to Remote Desktop Protocols (RDP) and Virtual Private Networks (VPN). Many VPN and RDP offers also boast remote code execution (RCE) vulnerabilities with access to Citrix networking and other virtualization products. Often though the type of access is not specified. Instead the level of access that a buyer could gain, either user or admin, is shared to entice buyers. The most active access brokers often create running threads on forums like Exploit or XSS and update them with their latest accesses for sale at prices of thousands of dollars. They occasionally reveal their methods for acquiring valuable access, such as mass scanning techniques for unpatched systems with critical vulnerabilities and the abuse of popular penetration testing tools. Forum activity is only a small visible subset of the overall network access market, which operates more privately via direct messaging and covert channels like Telegram and Jabber.

Figure 3: A user on a popular hacking forum selling access to compromised networks

ZeroFox closely monitors such forum threads and posts for any disclosed details that may unmask the targeted networks of these access sales. Hacker forum moderators typically demand at least a minimum amount of information on a target, including country, industry, and revenue. So far this year, ZeroFox has detected the suspected names of nearly two dozen corporate and government targets of network access sales through the careful correlation of threat actor language with open source research. Given the close business relationship between initial access brokers and ransomware operators, identifying a potential network access sale may give critical early warning for an impending ransomware attack. For example, in March 2021, ZeroFox identified two network access targets for sale on XSS who succumbed to ransomware attacks by the Avaddon and Revil cybercriminal groups a few weeks later.

Figure 4: Users on multiple forums selling access to compromised networks and accounts

Conclusion and Recommendations

As more cybercriminals seek their own slice of the lucrative network access market, ZeroFox anticipates additional opportunities to thwart the supply chain of ransomware attacks through early warning detection and reporting. Security teams should remain diligent in monitoring for potential signs of compromised account and network security, and ensure appropriate detection and incident response capabilities are in place.

Recommendations for Security Teams

  • Review network logs for communication potential signs of compromise and data egress
  • Always verify the sender of suspicious or unexpected emails and messages
  • Never download attachments from unknown senders or suspicious emails
  • Never click on links or enter credentials when prompted unless you have checked the URL and purpose of the request is legitimate
  • Leverage a dark web monitoring solution to quickly identify compromised credentials and data leakage
See ZeroFox in action