- Table of contents
The author
Table of contents
Related Articles
Initial Access Brokers: The Hard Facts
Initial Access Brokers (IABs) are threat actors who infiltrate networks, systems, or organizations and sell this unauthorized access to other malicious actors. Instead of executing the entire cyber attack, IABs focus on the initial breach and monetize it by selling access to compromised systems. They assist ransomware operations, particularly RaaS schemes, by streamlining attacks and reducing workload at the start.
Further to our 2024 report Cyberint, a Check Point company’s research team has analayzed Initial Access Broker activity over the past two and a half years on leading dark web forums (namely Ramp, Breach, XSS and Exploit Forums) and have highlighted the latest trends and tactics.
In 2023 the US was the prime target of IABs, with over 31% of attacks targeting the country, and it remains so in 2024, but France and Brazil have been increasingly targeted. In the top 10 countries, the number of accesses for sale increased by 90%, indicating threat actors are focusing on specific countries, rather than spreading out geographic targets. This could be for a number of reasons, from targeting countries with higher economic potential to targeting countries with more valuable data.
IABs target various industries, with the business services sector being the most frequently targeted, similar to ransomware trends. The retail industry has remained consistently in the top 3 in 2023 and 2024, but the manufacturing industry has shown to be a growing focus in 2024, creeping up into the top 3 in 2024. The spread of companies targeted has also grown with each industry receiving a smaller share of the pie in 2024, with more varied industries being targeted.
In 2024, there has been a shift to targeting smaller organizations, perhaps due to perceived weaker defenses, this has dropped the average revenue to $1.28B in 2024 from $1.38B in 2023. Threat actors increasingly targeted organizations in the $5M-$50M range, making up 60.5% of all initial access listings for sale.
The Three Primary Types of Initial Access Brokers
There are three primary types of IABs driving most ransomware attacks today. In 2023, those offering servers compromised through exposed Remote Desktop Protocol (RDP) were the most common (>60%). However, in 2024, VPN access surged, challenging RDP access for the top spot (33% VPN vs. 55% RDP).
Most IAB posts fall within a price range of $500 to $3,000 for corporate access, though high-value listings occasionally appear, exceeding $10,000. Protecting against IABs requires a multi-layered security approach, implementing both technical and organizational measures to minimize vulnerabilities.
*Please note that the data provided is limited to observations from Ramp, Breach, XSS, and Exploit Forums. While these are significant sources, they do not represent a complete picture of all threat activity.
To learn how Cyberint, now a Check Point Company protects organizations for IABs get a demo.
Want to get the inside scoop on the evolving world of Initial Access Brokers (IABs)? Our in-depth report dives into the latest tactics, emerging trends you need to know, and actionable strategies.
