Cyberattacks, Malware, Ransomware , Cybersecurity

Proliferation of Initial Access Brokers Fuels Ransomware Attacks

Drop in Brokers' Prices Lead to Surge in Ransomware Attacks in APAC Region
Proliferation of Initial Access Brokers Fuels Ransomware Attacks

The proliferation of initial access brokers, IABs, in the APAC region is having an impact on the underground ransomware market, and contributing to a rise in attacks, with the manufacturing sector being the primary target. These findings were revealed in a Group-IB annual report released in January 2023.

See Also: Fortify Your Organization against Destructive Cyberattacks

The report titled 'Hi-Tech Crime Trends 2022/2023' was produced by Group-IB's Threat Intelligence unit, and it identifies the most pertinent cyber risks faced by companies in the Asia-Pacific region.

From H2 2021 and H1 2022, Group-IB detected 2,348 instances of IABs selling access to corporate networks, either privately or on dark web forums, twice as many in the preceding period. The number of brokers also grew from 262 to 380 - 1.5 times more than in the previous period - leading to a drop in prices. This made network access for ransomware gangs and smaller threat actors more affordable.

Consequentially, the number of network access offers increased nearly threefold, from 133 in H2 2020-H1 2021 to 382 in H2 2021-H1 2022, resulting in a surge ransomware incidents in the region. This also led to a drop in the price of total offers by 32%. Group-IB researchers identified more than 35 advanced persistent threat actors engaging in cyberthreat activities in the APAC region, indicating that it remains the primary area of operations for nation-state actors.

"The increase in IABs is leading to a decrease in pricing for their services because the number of offers in the underground market is growing every year," says Dmitry Volkov, CEO and co-founder, Group-IB. "This is making ransomware attacks more affordable and even the (smaller) threat actor, who does not have the resources, can now launch a ransomware attack."

The lowest price for corporate access was $5, while the highest reached hundreds of thousands of dollars. The average price for access also dropped to $2,800. This is a reduction of more than half in the previous period ($6,500).

The increase in access offers in the APAC region resulted in a price drop of total offers by 32.3%. (Source: Group-IB)

This is the second consecutive year that Group-IB researchers observed the increasing impact of IABs on the ransomware market in APAC and beyond.

IABs have significantly expanded their presence worldwide, with the number of countries where they broke into corporate networks increasing by 41%: from 68 to 96 during this period. Similar to the previous year, U.S.-based companies were the most sought-after target among IABs, with almost a quarter of all discovered access offers related to U.S. companies (558).

The APAC region saw a significant number of network access offers from H2 2021 to H1 2022, with India recording the highest number (64), followed by Australia (49), China (45), Indonesia (28), Thailand (28), Malaysia (17), Taiwan (17), Vietnam (16), Japan (13), and Singapore with (13). NikaC, a highly active IAB in the APAC region, offered access to seven financial companies’ networks, primarily based in APAC. Most involved access to the corporate email of top managers.

"Initial access brokers play the role of oil producers for the whole underground economy. They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries," Volkov says.

He advises companies in the APAC region to consider setting up a threat intelligence program to monitor for compromised credentials of their workforce.

Attacks on Manufacturing Companies

The Hi-Tech Crime Trends report analyzes the various aspects of the cybercrime industry's operations, examines attacks, and provides forecasts for the threat landscape for various sectors such as the financial industry, telecommunications, manufacturing and energy.

The industries most affected by IABs were manufacturing (5.8% of all companies), financial services (5.1%), real estate (4.6%) and education (4.2%).

"For manufacturing companies, any disruption of the operational processes is critical. These companies will always pay [the ransom] to restore their daily operations as soon as possible," Volkov says.

Manufacturing companies did not pay much attention to cybersecurity companies in the past. The financial industry, in contrast, has been investing heavily in securing its infrastructure.

Over the reporting period, 136 instances of access to manufacturing companies sold by threat actors were discovered, 33% more than in the previous period (H2 2020 – H1 2021). (Source: Group-IB)

Ransomware - A Growing Problem

The report found that ransomware continues to be a major threat to companies worldwide, with 2,886 companies having their information, files and data published on dedicated leak sites, DLS, between H2 2021 and H1 2022, a 22% increase, compared to the 2,371 companies affected during the previous period (H2 2020 - H1 2021). The actual number of ransomware attacks is believed to be significantly higher as many victims choose to pay the ransom, and some ransomware gangs do not use DLS.

Between H2 2021 and H1 2022, ransomware gangs posted sensitive information belonging to 322 APAC companies on data leak sites, Group-IB reports. This constitutes 11% of the global ransomware attack count. Australia was most targeted, with 17% of the attacks, followed by India at 12% and China at 11%.

"Based on our telemetry, we saw on average, only 15% were listed as the victims on data leak sites managed by different ransomware groups. But, of course, this proportion can be changed depending on the attacker's profile. This is only for companies that didn't pay the ransom. So the number of victims, in general, is much higher," Volkov says.

Between H2 2021 and H1 2022, Group-IB's Threat Intelligence unit analyzed underground advertisements and identified a significant increase in the sale of corporate access. A total of 2,348 instances were recorded, which is twice as many as the previous period (1,099 access offers). Of these, 2,111 offers provided information about the country, and 1,532 specified the victim's industry.

About the Author

Brian Pereira

Brian Pereira

Director, Global News Desk, ISMG

Pereira has nearly three decades of journalism experience. He is the former editor of CHIP, InformationWeek and CISO MAG. He has also written for The Times of India and The Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.