KELA’s 100 Over 100: September 2020 in Network Access Sales

Raveed Laeb, Product Manager and Victoria Kivilevich, Threat Intelligence Analyst

While ransomware attacks are on the rise, more and more initial network accesses are being sold in underground forums every day, partially becoming an initial entry point for ransomware operators. Following KELA’s research about initial access brokers, we’ve decided to analyze some of the accesses sold over September 2020 to build a comprehensive picture of the activities in this field.

Major takeaways are:

  • Initial network access is a general term that refers to remote access to a computer in a compromised organization. Threat actors selling it – initial access brokers – are linking opportunistic campaigns with targeted attackers, namely ransomware operators.
  • KELA traced over 100 initial network accesses put on sale by threat actors for one month – three times more than in August 2020. The cumulative price requested for all accesses surpasses $500,000.
  • Of these network access listings, KELA found that at least 23% were reported as sold by the actors for cumulative revenue of nearly $90,000.
  • While establishing a list of the top 5 most expensive accesses and the TTPs of their sellers, KELA examined a hypothesis that the price depends on the victim’s revenue and the level of privileges gained through access. Domain admin access can be 25-100% more expensive than user access.
  • Initial access brokers’ public activity on cybercrime communities provides rare visibility into the inner workings of threat actors; this visibility should be leveraged by network defenders in order to understand the threat landscape and prioritize defense mechanisms accordingly. Moreover, passing network access from one the initial access broker to a ransomware affiliate effectively splits the exploitation process into two distinct phases – a TTP that may be invaluable during threat hunting and adversary simulation.