Initial access market analysis

Our experts studied the shadow market for initial access to corporate infrastructure.

Kaspersky's experts studied adverts on the darkweb and found out how much access to your company's infrastructure can cost.

When the media reports about a company being attacked by ransomware, many folks imagine that cunning hackers first wrote dangerous malware, then searched long and hard for a way to hack the company, and finally encrypted its confidential data. Because of this, some business owners are still convinced that their company is not interesting enough for attackers to spend so much resources on hacking it.

In reality, things couldn’t be more different. A modern attacker in fact doesn’t write the malware himself, but rents it, and he doesn’t spend resources on hacking — he simply goes to the shadow market of initial access brokers. Experts in our Digital Footprint Intelligence service decided to find out how much money changes hands when cybercriminals buy and sell access to company infrastructure.

How much for access?

So how much do attackers spend when buying access to your infrastructure? This depends on many factors, but the most significant one is your company’s revenue. After analyzing about two hundred adverts on the darknet, our experts came to the following conclusions:

  • most ads offer access to small companies;
  • almost half the ads offer access for less than $1000;
  • cases where access is sold for more than $5000 are quite rare;
  • the average cost of access to large companies ranges between $2000 to $4000.

For sure, those are hardly enormous sums of money. But ransomware operators expect to reap in much greater sums from their blackmailing endeavors, so they are at least willing to spend this much on initial access. It seems to be the market price that’s been settled on through organic supply-and-demand and widely-known purchasing power.

What’s for sale?

Attackers offer different types of access. Sometimes it’s information about a vulnerability that can be exploited for access. Other times it’s credentials for accessing Citrix or the site’s hosting panel. But in the vast majority of cases (in more than 75% of ads) they offer a variant of access via RDP (sometimes in conjunction with a VPN). Accordingly this option of remote access to the company’s infrastructure should be treated with increased attention.

Where do the bad guys get hold of access?

There are many options for obtaining initial access. Sometimes cybercriminals use the simplest way: password mining. But most often they send phishing emails to employees, or emails with malicious attachments (spyware, or, for example, stealers, which automatically collect credentials, authorization tokens, cookies, and so on from infected devices). Sometimes attackers also exploit known vulnerabilities in software before administrators patch it.

Detailed results of the study, with examples of real initial access ads, can be found in the report on the Securelist website.

How to stay safe?

Since most often the subject of sale is remote access to a company’s infrastructure via RDP, it is this that should be protected first of all. Our experts give the following recommendations:

  • organize RDP access only through VPN;
  • use strong passwords;
  • use Network Level Authentication (if possible);
  • use two-factor authentication for all critical services.

In order to make passwords less likely to be leaked through phishing, it’s also recommended to use reliable security solutions with an anti-phishing engine both on employee devices and at the mail gateway level. And to be on the safe side, periodically raise your personnel's cybersecurity awareness.

In addition, it’s quite useful to find out if someone is already discussing ways of accessing your company’s infrastructure on the darknet, so monitoring such activity is advised. It is such monitoring that our Digital Footprint Intelligence service carries out.