RSAC insights: How IABs — initial access brokers — help sustain, accelerate the ransomware plague

By Byron V. Acohido

Specialization continues to advance apace in the cybercriminal ecosystem.

Related: How cybercriminals leverage digital transformation

Initial access brokers, or IABs, are the latest specialists on the scene. IABs flashed to prominence on the heels of gaping vulnerabilities getting discovered and widely exploited in Windows servers deployed globally in enterprise networks.

I had the chance at RSA Conference 2022 to visit with John Shier, senior security advisor at Sophos, a security software and hardware company. We discussed how the ProxyLogon/Proxy Shell vulnerabilities that companies have been scrambling to patch for the past couple of years gave rise to threat actors who focus on a singular mission: locating and compromising cyber assets with known vulnerabilities.

For a drill down on IABs, please give the accompanying podcast a listen. Here are the key takeaways:

Sequential specialists

IABs today jump into action anytime a newly discovered bug gets publicized, especially operating system coding flaws that can be remotely exploited. IABs gain unauthorized network access and then they often will conduct exploratory movements to get a sense of what the compromised asset is, Shier told me.

This is all part triangulating how much value the breached asset might have in the Darknet marketplace. “IABs specialize in one specific area of the cybercrime ecosystem where the victims are accumulated and then sold off to the highest bidder,” he says.

To assure persistent access to, say, a compromised web server, an IAB will implant a web shell – coding that functions as a back door through which additional malicious software can be uploaded at a later time. The web shell sits dormant providing a path for other specialists.

The IAB’s job, at this point, is done; access to the compromised server is now ready for sale to another operative. It might be someone who specializes in embedding droppers – a type of malware delivery tool designed to stealthily install the endgame payload, Shier says.

A dropper specialist, in turn, might deliver control of the primed server to a payload specialist. – an operative who’s adept at, say, carrying out a crypto mining routine that saps processing power. Or the payload might be a data exfiltration routine — or a full-blown ransomware attack.

Teeming criminal activity

IABs are giving an already high-functioning cybercriminal underground a turbo boost. This trend is highlighted in Sophos’ recent adversaries report  based on analysis of 144 incidents targeting organizations of varying sizes in the US, Europe, the Middle East, Australia, the Philippines and Japan. IABs contributed to threat actors dwelling longer before detection: the median attacker dwell time was 15 days in 2021, up from 11 days in 2020.

Sophos’ study of adversary activity found that some 47 percent of attacks started with an exploited vulnerability and 73 percent of attacks involved ransomware. Speaking of ransomware, cyber extortion continues to persist at a plague level.

Sophos’ The State of Ransomware 2022 polling of 5,600 IT professionals in 31 countries reveals that 66 percent of organizations were hit by ransomware in 2021 up from 37 percent in 2020. Meanwhile, some 11 percent of victim companies paid ransoms of $1 million USD or more in 2021, a nearly three-fold increase from and the 4 percent that did so in 2020. And the average ransom payment, excluding outliers, rang in at $812,360.

Clearly, the threat landscape is teeming with criminals leveraging proven tools, tactics and procedures to great effect. Forensic evidence analyzed by Sophos’ analysis sheds light on instances where multiple adversaries, including IABs, dropper specialists, ransomware gangs and crypto miners crossed paths. At times, multiple ransomware gangs targeted the same organization simultaneously.

“The IABs are the clearinghouses for all of this access,” Shier says. “The brokering happens in Darknet markets that specialize in the sale of victims.”

If you know where to look in Darknet markets, he says, you can find access to compromised machines listed by company, type of server and level of access. “This allows you, as a criminal, to really understand what it is that you’re buying,” Shier says. “They’ve even got an escrow system to assure that one criminal is not scamming the other criminals.”

Understanding digital assets

This is the flip side of digital transformation. As enterprises drive towards a dramatically scaled-up and increasingly interconnected digital ecosystem, network attack surfaces are expanding exponentially and security gaps are multiplying.

Cybercriminals are merely feasting on low-hanging fruit. It’s not so much that they’re doing anything terribly innovative. It’s just that there are so many blind spots, and in many ways it’s easier than ever for intruders to gain deep access, steal data, spread ransomware, disrupt infrastructure and attain unauthorized presence for an extended period of time.


Companies need to understand that every organization using digital assets is a target for an adversary somewhere; these days it can be waves of specialists from several different hacking collectives converging on the same target all at once, Shier says.

Constant monitoring and effective detection and response are more vital that ever. And so is reducing the attack surface by configuring systems wisely and managing vulnerabilities well.

Observes Shier: “First and foremost it is important to understand the systems, tools and software you’re using . . . and understand what are the core aspects of your business that you need to protect. Protect the core business first and then start to look at protecting the things that are supporting the core business. The mitigations might be different, but it really comes down to understanding the business itself.”

This much was made clear at RSAC 2022: the technology and security frameworks to do this are readily available. What’s lacking – and why criminal specialists continue to operate with impunity — is uniform adoption. Things are steadily moving in that direction. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone