Security News > 2021 > June > Researchers: Booming Cyber-Underground Market for Initial-Access Brokers

Rather than do the heavy lifting themselves, ransomware gangs are buying their way onto networks, partnering with other criminal groups that have already paved the way for entry with first-stage malware, researchers have found.

Before the ultimate ransomware payload hits the network, known ransomware gangs such as Ryuk, Egregor and REvil first team up with threat actors who specialize in initial infection using various forms of malware - such as TrickBot, BazaLoader and IcedID, according to the report.

"Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets, and then sell access to the ransomware actors for a slice of the ill-gotten gains," according to the report.

Specifically, Proofpoint tracks at least 10 threat actors who use malicious email campaigns to distribute first-stage loaders via various tactics, that ransomware groups then take advantage of to deliver the ultimate payload. The relationship between these threat actors and ransomware groups is not one-to-one researchers found, as multiple threat actors use the same payloads for ransomware distribution.

Specifically, Proofpoint in the report links 10 threat actors that researchers have been tracking as initial access facilitators to their malware and tactics of choice for establishing network access, which they then sell to various ransomware groups for further nefarious purposes.

TA800 is a large cybercrime actor that Proofpoint has tracked since mid-2019 that distributes banking malware or malware loaders, including TrickBot, BazaLoader, Buer Loader and Ostap, to the Ryuk ransomware gang, researchers found.

News URL

https://threatpost.com/booming-cyber-underground-market-initial-access-brokers/166965/