Ransomware operators now outsource network access exploits to speed up attacks

Ransomware operators are now turning to network access sellers in their droves to cut out a difficult step in the infection process. 

On Monday, Accenture’s Cyber Threat Intelligence (CTI) team released new research on emerging cybersecurity trends, including an investigation into the nature of relationships between ransomware operators and exploit sellers. 

According to Accenture senior security analysts Thomas Willkan and Paul Mansfield, buying network access points and already compromised ways to infiltrate a target system are rising in popularity, including the purchase of stolen credentials and vulnerabilities. 

During attacks, ransomware operators must first find an entry point into a network. Compromised employee accounts, misconfigurations in public-facing systems, and vulnerable endpoints may all be used to deploy this particular family of malicious code, leading to the encryption of files, disks, and a demand for payment in return for a decryption key. 

See also: COVID-19 pandemic delivers extraordinary array of cybersecurity challenges

It is hard to estimate how many successful ransomware attacks have taken place this year. Europol believes that these specific attacks often go unreported, with only major incidents — such as the recent death of a woman in need of urgent care who was forced to divert from Duesseldorf hospital due to a ransomware infection — becoming public knowledge. 

Paying a ransom these days can reach six-figure sums, or more, depending on the target and their estimated worth. Now, ransomware groups are seeking to cut out the initial access stage of an attack, speeding up the process — and potentially the opportunity for illicit revenue.

Network access sellers typically develop an initial vulnerability and then sell their work in underground forums for anywhere between $300 and $10,000. 

The majority of network access offerings in the underground will include the target by industry and the type of access, ranging from Citrix