Security News > 2021 > June > Ransomware Attackers Partnering With Cybercrime Groups to Hack High-Profile Targets
As ransomware attacks against critical infrastructure skyrocket, new research shows that threat actors behind such disruptions are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major targets.
"Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains," researchers from Proofpoint said in a write-up shared with The Hacker News.
"Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network."
Besides angling for a piece of the illegal profits, the email and cloud security firm said it is currently tracking at least 10 different threat actors who play the role of "Initial access facilitators" to supply affiliates and other cybercrime groups with an entry point to deploy data theft and encryption operations.
Initial access brokers are known to infiltrate the networks via first-stage malware payloads such as The Trick, Dridex, Qbot, IcedID, BazaLoader, or Buer Loader, with most campaigns detected in the first half of 2021 leveraging banking trojans as ransomware loaders.
The brokers - which were identified by tracking the backdoor access advertised on hacking forums - include TA800, TA577, TA569, TA551, TA570, TA547, TA544, TA571, TA574, and TA575, with overlaps observed between various threat actors, malware, and ransomware deployments.