Understanding initial access brokers and their impact on cyber security

Initial access brokers are cybercriminals who specialise in breaking into corporate networks and selling access to ransomware gangs and other threat actors on underground forums. This underground marketplace has transformed ransomware from isolated attacks into an efficient supply chain, where a single breach can trigger multiple devastating incidents as different criminal groups exploit the same stolen credentials.

Contact Zensec immediately if you suspect your organisation has been compromised or if you discover unauthorised access advertised on underground forums.

The marketplace for stolen access operates openly on underground forums like Exploit, XSS, and RAMP, where IABs post listings that look surprisingly similar to classified ads.

Each listing includes details on the target company’s size, revenue, and the type of access available. Prices range from a few hundred pounds to over £100,000, depending on how valuable the target appears to ransomware operators.

Why do initial access brokers (IABs) exist?

Initial access brokers are threat actors who take the first step in a cyberattack: getting inside.

Rather than carrying out the entire attack themselves, their main focus is to gain initial access to your systems by breaking through defences.

Cybercriminals who want to avoid wasting time gaining access then buy those credentials from the access broker.

This division of labour makes both sides more effective. IABs can focus on perfecting their intrusion techniques and scanning thousands of potential targets at once, then sell network access – typically through the dark web.

Meanwhile, ransomware operators can skip the time-consuming reconnaissance phase and deploy their malware straight away. What used to take weeks or months can now happen in hours.

The typical buyer is a ransomware-as-a-service (RaaS) affiliate, someone who operates ransomware on behalf of a larger criminal organisation. By purchasing ready-made/procured access, these affiliates can launch more attacks in less time, which is exactly why ransomware incidents have surged in recent years.

How do initial access brokers gain access to networks?

Initial access brokers use a range of strategies to target networks, including RDP, VPN, and phishing messages.

Remote desktop protocol

RDP is the most common entry point, accounting for more than half of all access sold on underground forums. RDP lets employees connect to their work computers from home, but when it’s exposed directly to the internet without proper security, it becomes an open door.

IABs use automated tools to scan for exposed RDP services, then attempt to break in using brute force attacks or lists of previously stolen passwords.

VPN access

Virtual Private Network vulnerabilities are another favourite target. When security researchers discover flaws in popular VPN products, IABs race to exploit them before companies can install patches. Organisations that delay updates or use VPNs without multi-factor authentication are particularly vulnerable.

Phishing

Phishing remains surprisingly effective despite years of security awareness training. IABs craft emails that impersonate IT support, trusted vendors, or company executives to trick employees into revealing their login credentials.

Once someone takes the bait, the IAB has a legitimate username and password to access the network.

Web applications

Web application vulnerabilities provide yet another way in. IABs exploit flaws in company websites or web-based applications to install web shells, small programs that allow them to execute commands remotely.

Web shell access is particularly valuable because it often goes undetected for months and can survive even after the original vulnerability gets patched.

Buying access

Some IABs don’t break in at all, they simply buy access from other criminals, which forms yet another potential layer in the ransomware ecosystem.

Information-stealing malware constantly harvests credentials from infected computers, and those credentials get sold in bulk on underground markets.

IABs purchase these databases and test which credentials still work, building an inventory of access to sell.

The IAB marketplace and pricing structure

The underground market for network access operates with a level of professionalism that might surprise you.

IABs advertise their products with detailed specifications: the target company’s industry, annual revenue, number of employees, geographic location, and the type of access available (RDP, VPN, web shell, or administrator credentials).

Pricing follows predictable patterns based on a few key factors:

• Company Size and Revenue: Larger organisations with higher revenues command higher prices because ransomware operators can demand bigger ransoms from them.
• Industry Sector: Healthcare and financial services access typically costs more because these organisations face regulatory pressure to resolve incidents quickly and are more likely to pay ransoms. Put simply, they’re in higher demand, and ransomware groups will pay a premium for the information.
• Access Level: Administrator credentials cost significantly more than standard user accounts because they allow immediate control over the entire network.
• Geographic Location: Companies in the UK, US, and Western Europe sell at premium prices compared to organisations in developing countries.

Factor	How It Influences Pricing	Notes / Examples
Company Size & Revenue	Higher revenue companies sell for higher prices because ransomware operators expect larger payouts	Access to enterprise-level orgs can cost several thousand dollars or more
Industry Sector	Regulated sectors (healthcare, finance) command premium prices due to higher pressure to resolve incidents quickly	Attackers know these organisations are more likely to pay ransoms
Access Level	Administrator credentials are the most expensive since they provide immediate high-privilege control	Standard user accounts are cheaper and often used as footholds
Geographic Location	Access to US, UK, and Western Europe is priced higher than access in developing regions	Based on perceived ability to pay and stronger monetisation opportunities
Guarantee Period	Longer guarantee windows allow IABs to charge more for “assured” access	Buyers can request refunds or replacements if access fails
Payment Structure	Crypto-only payments (Bitcoin, Monero) keep transactions anonymous and irreversible	Escrow services on forums reduce scam risk and increase seller reputation

Payments are made exclusively in cryptocurrency, with Bitcoin and Monero the most common options.

Many forums offer escrow services to hold payments until the buyer confirms that access works, reducing the risk of scams on both sides.

How IABs enable ransomware groups to initiate attacks

The relationship between IABs and ransomware operators has fundamentally accelerated the pace of attacks. Traditional attack chains used to unfold over weeks or months, giving security teams multiple chances to spot suspicious activity.

Now, ransomware can be deployed within 24 hours of purchasing access, compressing the entire timeline into a narrow window that’s incredibly difficult to defend against.

This speed comes from specialisation, facilitated by such direct collaboration. IABs focus on intrusion techniques, maintaining scanning infrastructure, and building portfolios of compromised networks.

Ransomware operators leverage procured access to move laterally through networks, escalating privileges, stealing data, and deploying encryption. Each party gets better at their specific role rather than being mediocre at everything.

There’s also a multiplication effect at play. One IAB can compromise dozens of networks and sell each one to multiple buyers over time. A single successful intrusion might lead to several separate ransomware attacks as different criminal groups purchase and exploit the same access.

An organisation might clean up one incident without realising that its credentials are still being advertised on underground forums.

Detecting and preventing IAB activity

Many ransomware groups will launch attacks quickly after an IAB passes access to them. So, your first line of defence is to take steps to prevent IAB activity and to implement measures to detect it. Effective detection and prevention measures include:

Multi-factor authentication

MFA is the single most effective defence against IABs because it makes stolen passwords useless without the second authentication factor. Even if an IAB obtains valid credentials through phishing or a data breach, they can’t log in without also having access to the victim’s phone or authentication app.

Reducing your external attack surface

Many organisations unknowingly expose RDP directly to the internet or leave VPN appliances open without proper access controls. Regular external scans can identify these exposures before IABs do. Where remote access is necessary, placing it behind a VPN or using zero-trust network access solutions adds protective layers, reducing the risks of major incidents.

Strong password policies

Brute force attacks are more difficult. All passwords should be long, unique, and changed as they’re harder to crack. Monitoring services that alert you when your organisation’s credentials appear in breach databases let you reset compromised passwords before IABs can exploit them.

Network segmentation

Restricting access to network devices can limit the damage from a single compromised account. Even if an IAB successfully breaches the perimeter, segmentation prevents them from easily reaching high-value systems and data. This reduced access makes the credentials less attractive to potential buyers.

SIEM systems

Security information and event management systems can automate detection of and alert your IT or security team. They’ll then be able to investigate.

Fast and continuous patching

IABs actively monitor security advisories and exploit newly disclosed vulnerabilities before organisations can deploy patches. Prioritising updates for VPN appliances, web servers, and remote access tools closes the windows of opportunity that IABs rely on.

Integrating Cyber Threat Intelligence (CTI) feeds can help your security teams prioritise patching.

Responding to suspected IAB compromise

If you suspect an IAB has compromised your network, speed matters. The longer the access remains active, the greater the chance it will be sold and exploited by ransomware operators.

Contact Zensec immediately if you suspect your organisation has been compromised or if you discover unauthorised access advertised on underground forums.

Our incident response team provides 24/7 support to contain threats, conduct forensic investigations, and implement remediation strategies that prevent escalation to ransomware attacks.

Here are the most important steps when responding to suspected IAB issues:

1. First, confirm the compromise through forensic investigation. Examine authentication logs, network traffic, and endpoint data for indicators of unauthorised access. Look for patterns like unusual login locations, odd timing, or authentication from IP addresses that don’t belong to your organisation.
2. Once confirmed, immediate containment prevents further damage. Reset all potentially compromised credentials, especially administrator accounts. Temporarily disable or restrict external access points, such as RDP and VPN, while you investigate the root cause. Isolate affected systems from the network to prevent lateral movement if the IAB has already established a foothold.
3. Forensic analysis determines the full scope of the breach. You’ll want to know which systems were accessed, what data may have been viewed or stolen, and whether any persistence mechanisms, such as backdoor accounts or web shells, were created. This investigation also identifies the initial attack vector so you can implement specific controls to prevent recurrence.
4. Post-incident hardening addresses the vulnerabilities that enabled the initial compromise. This might include implementing MFA, closing unnecessary external access points, patching vulnerabilities, improving network segmentation, or enhancing monitoring capabilities.

The evolving IAB threat landscape

The IAB ecosystem continues to adapt as organisations improve their defences. Cloud infrastructure has become an increasingly popular target, with IABs exploiting misconfigurations in Azure, AWS, and Google Cloud environments. Cloud access is particularly valuable because it often provides entry to multiple connected systems and services simultaneously.

IABs are also finding ways around multi-factor authentication. MFA fatigue attacks bombard users with authentication requests until they approve one just to stop the notifications. Others exploit gaps in MFA coverage by identifying legacy systems or administrative interfaces that remain unprotected. Some sophisticated IABs have begun targeting mobile devices and using SIM swapping to bypass SMS-based authentication.

The marketplace itself is becoming more sophisticated. Some IABs now offer “access-as-a-service” subscriptions, maintaining persistent access and updating credentials as they change. Others provide reconnaissance reports detailing the target’s security posture, backup systems, and cyber insurance coverage to help ransomware operators optimise their attacks.

Law enforcement actions have disrupted some IAB operations and marketplaces, but new forums and vendors quickly emerge to fill the void. The decentralised nature of the underground economy makes it resilient to takedowns, though high-profile arrests do create temporary disruptions and force IABs to rebuild their reputations on new platforms.