Who’s driving ransomware’s accelerated growth in 2025


Ransomware reports in 2025 are on par to exceed last year’s numbers, with more than 500 global incidents taking place in the month of January alone. In total, 2024 saw 5,461 attacks, 15% more than 2023. While a number of factors can be attributed to ransomware’s continued growth, the role of the initial access broker or IAB, should not be understated, nor ignored.

An IAB is a threat actor who specializes in acquiring internal access to organizations and selling unauthorized access on the dark web. They play a critical role in allowing for a wider range of threat actors to engage in high-risk cyber threats like ransomware attacks, by launching the initial leg work of infiltrating the compromised organization. In lowering this barrier to entry, threat actors can not only increase the volume of their attacks but the speed at which they can deliver them. The following is a look into IAB tactics, relations with ransomware groups and services offered. 

Exploitation of vulnerabilities 

IABs can gain access to internal systems through well-known attack vectors like phishing, social engineering, credential leakage, stealer logs, utilizing brute forcing software and more. They are skilled at exploiting known vulnerabilities in software and systems to gain initial access, often using automated tools to scan for and identify vulnerable systems. Commonly exploited vulnerabilities include those in Remote Desktop Protocol (RDP), Virtual Private Networks (VPNs), web shells, and various remote access software. 

IABs are also skilled with exploiting zero-day vulnerabilities to gain access to compromised systems. The exploitation of zero-day vulnerabilities makes it challenging to defend against IABs, as these vulnerabilities are exploited before they are public knowledge.

The image below advertises a software tool that could be used by IABs called VPN Brute, advertised on the Exploit forum. This tool is designed to brute force login credentials for various VPN services and corporate networks. The example below is just one of many tools that IABs could utilize. 

Interactions with ransomware organizations

The threat of a ransomware attack continues to be a major concern for organizations as they can result in heavy financial and data loss. Increasingly, IABs have become intertwined with ransomware groups, giving operators the opportunity to focus on the deployment of their malware, improving its effectiveness, and completing the extortion attempt. In turn, IABs do the initial leg work of choosing targets and determining the most effective way to gain access to internal systems. At their core, IABs provide ransomware groups with the ability to scale and allow for more rapid execution of attacks. 

Below is an example of a threat actor selling access to a large holding company on the XSS forum. The IAB has not listed the name of the organization they have gained access to but has indicated what is included with the access. Typically, the price for access will depend on the size of the target and the method in which they have gained access to these systems. Sometimes IABs will post the name of the compromised organization, but information is often heavily sanitized to not alert the compromised organization. 

Screenshot

Lowering the skill level and ransomware-as-a-service (RaaS) 

IAB services are directly responsible for empowering less tech-savvy actors to carry out attacks that they otherwise may have lacked the skill set to do so. Additionally, leaked builders of ransomware on the dark web allow for novices to deploy ransomware without the necessary technological skill sets that would normally be needed. The two combined mean the only real barrier to entry for a ransomware attack is if the threat actor lacks the necessary funds for IAB services. 

The example below is a listing for a potential Conti ransomware builder on Dark Forums. The user has left instructions on how to use the builder as well as a download link. 

Screenshot

In addition to ransomware builders that are posted on dark web forums, the Ransomware-as-a-Service (RaaS) model lowers the barrier for the less tech savvy threat actor. Groups like Cicada3301 and others offer affiliate programs that will allow threat actors to use their technology for a one-time fee and for a commission on the total payout amount if the ransomware attack is successful. 

Screenshot

Affiliates of Cicada3301 have the ability to do the following outlined below. These bullet points were posted by the actor group on the RAMP forum.

  • The entire web resource is accessible via Tor
  • Chat companies: The possibility of communication is carried out by us or you, specified when creating a company
  • Chat support: Communication with support
  • SubAffiliate: An account for your partners with read-only access to chats
  • Builder: Build a locker according to your configurations
  • Landing: Generating a key that provides private access to the chat
  • Ability to set up a landing page for a company indicating only the data leak (without a lock)
  • Private keys from companies are not stored on our servers
  • Possibility of editing the note
  • Calling companies
  • File storage for storing leak

It is also very likely that many IABs work directly for ransomware groups and as a result, are not publicly posting their compromises on dark web forums. This creates multiple benefits for both groups. For IABs, not posting on dark web forums of their compromises may help them stay off the radar from law enforcement, especially if the dark web sources they post to are eventually seized. On the ransomware and RaaS side, having an IAB who is directly working for that group is going to allow for expediting of attacks for both ransomware groups and their affiliates. This kind of arrangement will allow for increased scaling of ransomware organizations’ operating efforts. 

Stealer logs & infostealer marketplaces

Navigating dark web markets for internal logins can take a tremendous amount of time, and IABs take on this role for ransomware groups. Credentials and devices that have been compromised by stealer malware variants are available for purchase on various marketplaces such as the Russian Marketplace and Exodus and are relatively cheap. On these example marketplaces, threat actors are looking specifically for compromised devices where they can see a possible internal login were compromised. By using the login information purchased, IABs can find access to internal corporate systems, then in turn advertising this internal access for sale on dark web forums. 

IABs will also look to dark web forums for stealer log credential leaks. It is common to see threads like the image below on many dark web forums where users are posting large files of credentials that have been captured by stealer malware. Similar to investigating marketplaces like Russian Market, IABs on forums are looking for highly valuable internal logins within the stealer log files. 

 Screenshot

Protecting against IABs

IABs will continue to be a threat in the cybersecurity landscape as their services allow ransomware groups and lone threat actors to increase the scale and speed of their operations. In addition, IABs are lowering the barrier of entry for less tech savvy criminals by allowing them access to compromised internal systems for an agreed upon sum.

The practices outlined below will help your organization protect against IABs and the growing threat of ransomware. 

  • Make sure that your organization deploys proper phishing education for their employees. Instituting phishing training modules and having simulated phishing campaigns will help protect your organization from IABs as phishing is a primary tactic used to gain access to your systems.
  • Organizations should make sure their IT departments release patches and update systems regularly. IABs are excellent at infiltrating internal systems. 
    • IABs are adept at using zero-day vulnerabilities as a vector of compromise. If potential zero days are identified, make sure they are addressed as soon as possible. In addition, keeping an eye out on your third-party vendors and if they were exposed to a zero-day vulnerability is important to monitor as well. 
  • Commonly exploited vulnerabilities by IABs include those in Remote Desktop Protocol (RDP), Virtual Private Networks (VPNs), web shells, and remote access software from various cyber vendors. Make sure that these sources are secure and have monitoring in place of potential unauthorized access by an IAB.
  • Make sure that your organization has strong password policies as well as using MFA. 
  • Have a dark web monitoring solution to look for mentions on marketplaces and forums. IABs are very active in posting on these sources, so monitoring these areas is important. 
    • Monitor the dark web on infostealer marketplaces as well as monitoring for credentials that have been captured by infostealer malware. IABs will be looking for internal logins and trying to manipulate that data so they can infiltrate internal systems.



Source link

Leave a Comment