For HomeFor BusinessFor Partners
SMB Security Enterprise Security Ransomware Threat Intelligence
9 min read

Inside the Ransomware Supply Chain: The Role of Initial Access Brokers in Modern Attacks

Bogdan Botezatu
Bogdan Botezatu

May 05, 2025

Inside the Ransomware Supply Chain: The Role of Initial Access Brokers in Modern Attacks

Ransomware threat actors depend on numerous cybercriminal skillsets to breach, disrupt, and extort organizations. One of these skillsets belongs to Initial Access Brokers (IABs), who are prominent players in the prolific RaaS (Ransomware as a Service) ecosystem. They help drive the proliferation of ransomware and Business Email Compromise (BEC) attacks. 

In my conversations with organizations that Bitdefender serves, I sometimes explain what IABs do and how they lay the groundwork for another threat actor to take an attack to the next level. I recently discussed this in-depth during our new podcast series, CYBERCRIME: From the Front Line, and during a Bitdefender webinar, Hit From All Sides: Cyber Fraud Targeting Organizations that is available on demand. Below, I would like to share some details about IABs and their role. 

Understanding the Role of Initial Access Brokers 

What role does an IAB play? Initial access brokers facilitate the “break-in” to an organization like yours. If this were a home burglary we were talking about, IABs would smash the window or pick the lock and then walk away to let a different criminal access your house and steal your things. 

In this case, IABs specialize in various methods to gain unauthorized digital access, including scanning for vulnerabilities and exploiting them or using phishing attacks and other social engineering methods to harvest credentials.  

Once they are in your organization's environment, they establish persistence. They often create multiple access points in your environment just in case you detect and remediate one method. With access established, the IAB player sells verified access to your network to cyber threat actors on the dark web with different skillsets. Those threat actors use these open network doors to enter and move laterally across your environment as part of a ransomware attack or to enter and watch for pertinent transactions and data they can exploit for a successful BEC attack.  

How Initial Access Brokers Facilitate Ransomware Attacks 

Here are specific ways IABs play a role in ransomware attacks. 

Finding a vulnerable victim 

IABs rely on automated systems and tools that scour the internet to discover vulnerabilities within an organization. This could include unpatched VPNs, vulnerable RDP systems, endpoint vulnerabilities or known vulnerable software. To further build out their library of victims, some IABs will conduct more involved phishing or brute-force attacks to compromise accounts. They may even utilize insider threats, such as disgruntled employees or employees willing to facilitate access. 

Initial compromise 

Once a way into an organization is found, IABs do the grunt work of exploiting a vulnerability, system, software, or employee and ensure it leads to a compromise. To further cement the compromise or increase the odds of success, they may exploit multiple vulnerabilities within an organization. 

Establishing persistence 

Whether it’s a compromise via stolen credentials, vulnerable RDP systems, or an unpatched VPN, IABs need to ensure their access persists and that they can easily provide access back into an organization’s network since that is what they sell. This requires lateral movement within an organization, setting up multiple access points, or a web shell on the company’s site. These footholds establish persistence and ensure that even if the vulnerability is patched or a password is reset, the IAB still has access.  

Selling Access 

After gaining persistent access into an organization, they can classify their victims by verticals and post them up on well-known hacking sites, forums and even encrypted communication venues like Telegram. Threat actor groups might contact more experienced and reputable IABs directly to access a specific target. 

Post-Access Compromise 

After an IAB sells access to an organization, their job is done. They can either continue to sell access to more groups or look for another victim to compromise. On the victim’s side, whoever bought access can now execute the rest of the ransomware attack, deliver the malicious software and reap the benefits. 

How IABs Became Crucial in Ransomware & BEC Attacks  

While Initial Access Brokers and their specialized skills are an essential part of the RaaS ecosystem, you may wonder what occurred to make this the case.  

The pandemic forced many people to stay at home, increasing organizations’ reliance on RDP (Remote Desktop Protocol) and VPN technology to stay connected. These legitimate tools broadened the attack surface.   

Around the same time, ransomware attacks evolved to include a double extortion element. Threat actors locked organizations out of their data and threatened to leak or expose the data if companies didn't pay a ransom. They often elevated the attack by utilizing the stolen information to extort employees, dox them, or carry out more targeted attacks to expedite payment. 

These "business model improvements" expanded the ransomware ecosystem. This increased profitability dramatically, resulting in the rise of RaaS alongside additional intermediaries and affiliates whose involvement helped facilitate these attacks at scale.  

This pivot also fostered specialized roles across ransomware campaigns, resulting in disparate functions that offered their services to a number of different threat actor groups. The improved efficiency, effectiveness, and shared risk across these groups made ransomware attacks much more attractive. 

Initial Access Brokers (IABs) are one of these specialized roles and are essentially high-value middlemen that provide access as a service, monetizing that access while keeping their own risk lower because they don’t carry out the attack itself. In many cases, they lack the technical skills to deploy this kind of attack. If an organization detects a breach, the risk largely falls on whoever executed the ransomware attack, not the IAB. The IAB crew has monetized initial access and moved to their next target. 

IAB Targeted Industry Verticals 

Bitdefender threat intelligence reveals that IABs target industry verticals like finance, healthcare, manufacturing, and government the most. Finance is always a high-value target but other industries on the list are also profitable targets as they’re known for having many vulnerable systems and fewer resources to protect themselves.  

IABs and Increased Cyber Risk 

The emergence of IABs highlights the cyber threat landscape's evolution. Vulnerabilities are more likely to be exploited, and because IABs sell access, one organization may be victim to multiple attacks via a variety of threat actors. 

For more on the types of cyber fraud targeting organizations, watch Episode 1 of CYBERCRIME: From the Frontline. And if you're looking to rapidly reduce your organizational attack surface, read more about Bitdefender GravityZone PHASR or watch the Global Launch Event. PHASR is the industry’s first endpoint security solution to dynamically tailor hardening for each user—ensuring that security configurations align precisely with user-intended privileges and behaviors and continuously adapt to shrink attack surfaces.

Together, the right strategy and tools can help create a layered cyber defense that significantly reduces your organizational risk.

tags

SMB Security Enterprise Security Ransomware Threat Intelligence

Author

Bogdan Botezatu

Bogdan Botezatu

Bogdan Botezatu has spent the past 12 years as Director of Threat Research at Bitdefender. His areas of expertise include malware deobfuscation, detection, removal and prevention. Bogdan is the author of A History of Malware and Botnets 101. Before joining Bitdefender, he worked at one of Romania's largest and oldest universities as network administrator in charge of SecOps and policies.

View all posts

Right now Top posts

Why Alert Volume Matters: Cutting Through the Noise
Endpoint Protection & Management

Why Alert Volume Matters: Cutting Through the Noise

February 27, 2025

ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again
Ransomware Threat Research Threat Intelligence

ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again

November 13, 2024

5 Approaches to Counter a Cybercriminal’s Growing Arsenal
Enterprise Security Threat Research

5 Approaches to Counter a Cybercriminal’s Growing Arsenal

November 06, 2024

Meow, Meow Leaks, and the Chaos of Ransomware Attribution
Enterprise Security Ransomware Threat Research Threat Intelligence

Meow, Meow Leaks, and the Chaos of Ransomware Attribution

September 29, 2024

FOLLOW US ON SOCIAL MEDIA

SUBSCRIBE TO OUR NEWSLETTER

Don’t miss out on exclusive content and exciting announcements!

You might also like

How to Use NIST CSF 2.0 to Identify Security Gaps: Part 4
Enterprise Security

How to Use NIST CSF 2.0 to Identify Security Gaps: Part 4
Kevin Gee
Kevin Gee

May 08, 2025

What’s New in GravityZone April 2025 (v 6.61)
Enterprise Security Endpoint Detection and Response

What’s New in GravityZone April 2025 (v 6.61)
Grzegorz Nocoń
Grzegorz Nocoń

May 07, 2025

Bitdefender Achieves AV-Comparatives Anti-Tampering Certification
Enterprise Security Endpoint Detection and Response

Bitdefender Achieves AV-Comparatives Anti-Tampering Certification
Richard De La Torre
Richard De La Torre

May 06, 2025

Bookmarks

loader