On 18 January 2021, access to the American mining technology company Gyrodata was sold on the dark web. A month later, DarkSide, a ransomware group, claimed it had successfully conducted a cyberattack on Gyrodata.
It all began with “Babam”, an Initial Access Broker.
Today, hackers are increasingly structured in organized crime groups that copy some of the aspects of legal activities (customer support, marketing…).
And like in a market economy, each group has its own specialty.
Here is a little deep dive in the world of hackers with a focus on Initial Access Brokers in order to understand who they are, what they do (and how) and what are some of the ways to protect your company.
Browsing forums on the dark web, you can find this kind of ad.
It’s a listing of various companies, in different countries (Jordan, Thailand, Saudi Arabia…) with the number of employees, the company’s revenue, a type of access and a price.
This kind of ad is typical of an Initial Access Broker. A gang of hackers who sell access to a company’s IT system to other hackers in order to enable them to conduct a cyberattack on that target.
Initial Access Brokers sell access to companies like for example:
These can then be used to conduct cyberattacks with varying goals: cybers espionage, botnet setup, data theft… But mostly deployment of ransomware.
The price will vary based on the level of privilege of the access sold and the target company. Based on a survey by Kela, the average access costs $4600, and once sold a ransomware attack can occur in the month following the sales.
Some Initial Access Brokers have even refined their pricing model to include a percentage of any ransom paid following a ransomware attack.
All in all, Initial Access Brokers save ransomware groups from having to obtain a first foothold in a company, to conduct lateral movement and to reach a certain level of persistence. With this assistance, ransomware groups can focus on managing their affiliates and developing their payloads.
How do these groups obtain privileged accesses? They have a wide range of techniques among which:
Let’s look at an example of this last technique: the group Exotic Lily (often linked to the ransomware group Conti). Here is the group’s technique to obtain accesses via phishing (and especially spear-phishing):
Exotic Lily conducts targeted attacks which include spoofing of employees or companies in order to gain the target’s trust. The group’s email phishing campaigns are mainly run by human operators (the analysis of the group’s communication logs indicates that its operators mainly work a 9 to 5 and… don’t work on the weekends). It’s an effective spear-phishing approach that differs from the mass phishing attacks of other groups.
We can highlight the following aspects of Exotic Lily’s approach:
This progressive and targeted approach is difficult to detect or block by relying simply on antispam software or a secure IT network.
There’s a real risk of having Initial Access Brokers provide access to your company in order for other groups to conduct a ransomware attack.
Fortunately, there are certain steps that can help decrease this risk:
Here are 10 must-haves for any training to be effective at lastingly changing users' behavior with regard to phishing attacks.
What is OSINT (Open Source INtelligence) and how do hackers use it for their phishing attacks?
What are SPF, DKIM and DMARC? How do they contribute to setting up protection against phishing attacks and how can you set them up for your company domain?