Introduction
Cyjax monitors and analyses the initial access broker (IAB) market on the most prominent cybercriminal forums. As noted in Cyjax’s 2024 IAB market in review, it is almost certain that extortion groups, APTs, data brokers, and other threat groups use IABs to gain initial access to targeted networks. Though at first glance it is not immediately obvious how important the IAB market is to the threat landscape, Cyjax has conducted a deep analysis of public IAB listings and extortion group DLSs. This analysis examined the speed at which these listings can be used to initiate attack chains and cause damage to organisations in a range of sectors and geographies.
Key takeaways
- The skill level required to conduct ransomware operations without buying access is reportedly ten times greater. This suggests that ransomware operators and affiliates can conduct such operations comparatively 10 times easier by purchasing accesses through the IAB market.
- Six case studies have been analysed to show the timeframe from IAB listing to extortion DLS listing. Well-known and prolific extortion groups Play, Lynx, Safepay, Hellcat, HuntersInternational, and BlackBasta appear to have purchased accesses to conduct extortion operations throughout 2024.
- The shortest timeframe from IAB listing to DLS listing was four days, portraying the fast-paced nature and high technical capabilities displayed in the threat landscape.
- The average timeframe from IAB to DLS was approximately 20 days. This highlights the importance of monitoring and assessing initial access listings to prevent subsequent extortion attacks.
Context
On 29 September 2024, the Telegram channel of Deanon ClubV7 published the first part of a Russian-language interview between Deanon Club’s ’DC’ and ’Goldi’, an alleged former member of LockBit. In the interview, Goldi claimed to have been working in the RaaS ecosystem since 2016, and that they were involved in either developing or maintaining the ransomware’s code.
Figure 1 – Excerpt from Goldi’s interview (Translated from Russian).
The former member claimed that the skill level required to conduct ransomware operations from beginning to end was “10 times greater” than when purchasing initial access from other threat actors. If this is accurate, it can be assessed that it is comparatively 10 times easier to conduct ransomware operations by purchasing access through the IAB market. This likely appeals to operators and affiliates with fewer technical skills, stricter time constraints, and fewer resources than large, advanced ransomware groups.
Figure 2 – General timeframe of ransomware attack where initial access is gained through an IAB.
Throughout 2024, Cyjax has linked several ransomware and extortion data-leak site (DLS) listings to IAB posts. This blog will highlight several case studies showing the timeframe from IAB listing to data breach notification and ransomware DLS listings, for victims that Cyjax has assessed in the year and appear to have originated from IAB listings.
Case study 1, 2, and 3 – Pennywise77777 listings
On 21 November 2024, Pennywise77777 posted a thread on a prominent Russian-language cybercriminal forum, advertising access to 96 different organisations across several sectors and geographies. The broker shared each access by posting links to organisations’ ZoomInfo page. ZoomInfo is a business-to-business (B2B) organisation which catalogues company information and shows geography, sector, employee count, and more information about a company. It is a service commonly used by IABs to produce this information in listings.
The thread was closed until the broker added a deposit to the forum and there is no public indication of sale for any of the listings. However, several extortion groups have claimed attacks against victims listed in this advertisement on their DLSs.
Figure 3 – Pennywise77777’s post on a cybercriminal forum.
Case study 1 – NatAlliance and Play ransomware
| Victim Name | NatAlliance Securities |
| Organisation Description | Financial services organisation based in the United States. |
| IAB listing username | Pennywise77777 |
| Listed price | N/A |
| Date listed on forum | 21 November 2024 |
| Date listed on DLS | 5 December 2024 |
| Extortion group | Play ransomware |
| Data breach notification? | No public notifications observed as of February 2025. |
| Time from IAB listing to DLS listing | 14 days |
Figure 4 – Pennywise77777’s IAB listing containing NatAlliance Securities.
Figure 5 – Play’s DLS listing for NatAlliance Securities.
Case study 2 – SCM Group and Lynx
| Victim Name | SCM Group |
| Organisation Description | Italy-based manufacturer of machine tools for woodworking. |
| IAB listing username | Pennywise77777 |
| Listed price | N/A |
| Date listed on forum | 21 November 2024 |
| Date listed on DLS | 26 November 2024 |
| Extortion group | Lynx ransomware |
| Data breach notification? | No public notifications observed as of February 2025. |
| Time from IAB listing to DLS listing | 4 days |
Figure 6 – IAB post by pennywise77777 including SCM Group ZoomInfo link.
Figure 7 – Lynx DLS listing for SCM Group.
Case study 3 – NB Kenney and Safepay
| Victim Name | N.B. Kenney |
| Organisation Description | US-based mechanical contractor. |
| IAB listing username | Pennywise77777 |
| Listed price | N/A |
| Date listed on forum | 21 November 2024 |
| Date listed on DLS | 11 December 2024 |
| Extortion group | Safepay |
| Data breach notification? | No public notifications observed as of February 2025. |
| Time from IAB listing to DLS listing | 20 days |
Figure 8 – IAB post by pennywise77777 including N.B Kenney ZoomInfo link.
Figure 9 – Safepay DLS listing for N.B. Kenney.
Case study 4 – Pinger and HellCat
| Victim Name | Pinger |
| Organisation Description | US-based telecommunications provider, known for its applications Textfree and Sideline. |
| IAB listing username | Miyako |
| Listed price | $5000 |
| Date listed on forum | 1 November 2024 |
| Date listed on DLS | 15 November 2024 |
| Extortion group | Hellcat |
| Data breach notification? | No public notifications observed as of February 2025. |
| Time from IAB listing to DLS listing | 14 days |
Figure 10 – User miyako advertises access to Pinger.
Figure 11 – Pinger leak file hosted on Hellcat’s file server.
Case study 5 – Manuchar and Hunters International
| Victim Name | Manuchar |
| Organisation Description | Distributor of chemicals based in Belgium. |
| IAB listing username | Kio |
| Listed price | $5000 |
| Date listed on forum | 29 March 2024 |
| Date listed on DLS | 15 November 2024 |
| Extortion group | Hunters International |
| Data breach notification? | No public notifications observed as of February 2025. |
| Time from IAB listing to DLS listing | 31 days |
Figure 12 – Initial post by kio advertising initial access to multiple organisations.
Figure 13 – Listing within kio’s post assessed to be Manuchar.
Figure 14 – Manuchar listing on HuntersInternational DLS.
Case study 6 – ZircoDATA and BlackBasta
| Victim Name | ZircoDATA |
| Organisation Description | Australia-based data management firm. |
| IAB listing username | Crypmans |
| Listed price | $1500 to $10,000 |
| Date listed on forum | 24 January 2024 |
| Date listed on DLS | 22 February 2024 |
| Extortion group | Hunters International |
| Data breach notification? | Yes |
| Time from IAB listing to DLS listing | 36 days |
This case study is notable as although the victim was added to the HuntersInternational DLS 36 days after the IAB listing was made, ZircoDATA stated that the breach occurred on 8 February 2024. This portrays an attack timeframe of 15 days. It is possible that the delay in naming the victim on the group’s DLS may have been due to ongoing ransom negotiations.
Figure 15 – IAB post for listing assessed to be ZircoDATA.
Figure 16 – ZircoDATA listing on BlackBasta’s DLS.
Mitigation recommendations
As observed throughout this report, ransomware group appear to be able to conduct attacks as little as three days after gaining initial access to an organisation. As a result, it is vital to apply mitigation to enterprise networks and reduce the likelihood of an attack.
Assess credibility of listings and vendor
Many IAB listings do not include the name of the victim organisation, commonly only referring to the revenue, geography, and sector of the victim. However, additional information such as number of active hosts, active antivirus software, and particular access types can often be observed. Assessing the credibility of the access, as well as confirming supplied information in the listing in reference to the victim network, can aid in indicating whether the access is valid and refers to the victim organisation.
There are low-reputation IABs and those that conduct scams, which may falsely list accesses to organisations. This could be in attempts to increase the credibility of the broker, though often result in arbitration threads against these brokers, which are then banned if the access is found to be false or misleading. Whilst active, these IABs may post fake listings that would urge an organisation to go into incident response. If the listing is not credible, this can be costly for businesses.
Cyjax maintains a repository of the most credible IABs, with a dedicated analyst team tracking and analysing listings and vendors.
Investigate instances of advertised access method
IAB listings are most commonly sold advertising access through protocols such as VPN, RDP, and RDWeb. If a listing is assessed to be affecting an organisation, it is vital to investigate any active instances of the advertised access type. This is so that potential weak points and the most likely access node that may have been compromised can be identified.
Check for outdated software and apply patches where necessary
Vulnerability exploitation is a common technique used by threat actors to gain initial access to networks. Regular timeframe checks for all installed software, as well as on-demand checks after observing a potential IAB listing and ad-hoc patch application when flaws are disclosed, may aid in mitigating IAB threats. It may also potentially remove access already gained by attackers.
Check logs
Auditing logs is an essential part of incident recovery, and regular monitoring of logs for public-facing software and hardware may reveal unauthorised intrusion attempts. This may aid in identifying initial access gained through the aforementioned protocols VPN, RDP, and RDWeb, among others.
Change passwords
Regular password changes and strong password enforcement methods can mitigate attacks gained through password spraying, brute force, and credential exposure. Maintaining a high standard of password policy can prevent IABs and other attackers from gaining access to organisations.
Implement or reset MFA
Multi-factor authentication (MFA) provides an extra layer of security, above only using credentials to access enterprise networks. By implementing this, organisations can prevent threat actors from gaining access to networks through brute force and password spraying.
If enabled, organisations should reset MFA after assessing the credibility of a listing. This is to invalidate any tokens an attacker may have gained in the compromise and restore a level of security to the network.
Conclusion
As highlighted in this report, the IAB market serves as a way for threat groups to easily and instantly gain initial access to organisations and conduct ransomware operations without the skills, time, and resources required to gain such access. The case studies highlight that ransomware and extortion groups likely use IABs for these reasons, with clear apparent links between IAB listings and subsequent extortion attacks. As such, it is imperative to disrupt potential attacks as early as possible. It is much harder to recover from a compromise once access has been sold to an extortion group and an attack occurs. As portrayed in this report, there is a short timeframe from when an IAB listing is posted to an extortion group conducting an attack.
Cyjax’s expert threat intelligence solutions empower organisations to detect, disrupt, and defend against emerging cyber threats. Leverage our insights to safeguard your business from ransomware and other critical attacks.
Receive our latest cyber intelligence insights delivered directly to your inbox
Simply complete the form to subscribe to our newsletter, ensuring you stay informed about the latest cyber intelligence insights and news.