KELA published a report on Monday detailing the listings made by ransomware operators in the underground. It includes initial access requests (how the attackers gain a foothold in the target system to spread).
The report reveals that many hackers want to buy access to US companies that bring in revenue of over $100 million.
Initial access has become a big business. Ransomware groups like Lockbit and Blackmatter may help cybercriminals remove some of the legwork involved in a cyberattack by buying the access. It could include working credentials or the knowledge of a flaw in a system.
When you consider that a successful ransomware campaign can lead to payouts worth millions of dollars, the cost of gaining initial access becomes justifiable. That means cybercriminals can delegate much of what they do to free up time to strike or plan to strike more targets.
The cybersecurity company’s findings are based on dark web observations of forums during July of this year. It suggests that threat actors are looking for large US firms.
However, Canadian, Australian, and European targets get their fair share of attention. Russian targets are usually rejected right away, likely because of low potential payouts.
Choosing targets and gaining access
Roughly half of the ransomware operators will reject offers for access into organizations that deal with healthcare and education, no matter the country. In other cases, government entities and non-profits are left out of the attacks.
In addition, there are many ways to access a system, with Remote Desk Protocol and Virtual Private Network-based access leading the charge. The specific access is usually for devices made by specific companies that include Fortinet, Cisco, VMWare, Palo Alto Networks, and Citrix, among others.
The report also said that attackers are willing to pay, on average, up to $100,000 for the valuable initial access.