The changing role of Initial Access Brokers (IABs) in Ransomware-as-a-Service banner

The changing role of Initial Access Brokers (IABs) in Ransomware-as-a-Service

Initial Access Brokers (IABs) have emerged as critical players in RaaS operations, helping attackers launch targeted campaigns. Their tactics too have notably changed, shifting from backdoor malware or web shells to using harvested credentials and Multi-Factor Authentication (MFA) for persistence.

Ransomware attacks have evolved both technologically and organizationally as threat actors attempt to broaden the scope of their operations and increase profitability. Ransomware as a Service (RaaS) has been a pivotal force behind the rising frequency and complexity of ransomware attacks. The RaaS model which operates much like SaaS, and involves selling or renting ransomware capabilities to buyers, has lowered the entry threshold for the extortion business. Today, this is a well-oiled business model with multiple operators viz., Operators, Affiliates and Initial Access Brokers (IABs) – all working in unison to orchestrate the attack.

Within the realm of RaaS, one crucial player has emerged as a key facilitator: the IAB. IABs are individuals or groups that specialize in gaining unauthorized access to internal networks and systems, which they then sell to ransomware operators. Their responsibilities include identifying vulnerabilities, breaching network defences, and providing access to lucrative targets. IABs provide an option for attackers to conduct targeted attacks as they can choose from the spread of access posted by IABs in underground forums. SISA has observed noticeable changes in the modus operandi of IABs in the recent past, based on findings from incident response activities and forensic readiness audits. SISA’s annual cybersecurity report – SISA Top 5 Forensic-driven Learnings 2023-24, presents a deeper understanding of evolving tactics and intrusion methods of IABs.

Some of the prominent trends are discussed below:

  • IAB tactics have notably changed in RaaS operations, shifting from backdoor malware or web shells to using harvested credentials and Multi-Factor Authentication (MFA) for persistence. This method is harder to detect and provides better access to an organization’s critical infrastructure. Consequently, the dark web market value for credentials with MFA persistence is more than three times higher than web shell malware or backdoors.
  • IABs have utilized various tactics to acquire credentials, such as phishing, deploying stealer malware, and purchasing credentials from the dark web. SISA has also observed a 4.2X increase in the identification of stealer malware or its traces on compromised user devices.
  • The IAB community has witnessed a professionalization trend, with specialized roles and expertise emerging. Some IABs focus on reconnaissance and initial access, while others specialize in post-exploitation activities, such as privilege escalation or lateral movement. Then there are a few others who focus on specific industries or sectors, allowing them to develop deep knowledge and understanding of their targets.
  • The monetization model of IABs largely focuses on selling network access to multiple threat actors such as financially motivated Advanced Persistent Threats (APTs), ransomware gangs, data brokers, and nation-state actors among others. In addition to dark web forums, IABs also leverage specialized marketplaces to buy and sell access to compromised networks. These platforms offer a convenient way for trading any type of data, including bank card details, access to personal and corporate accounts, remote desktop protocol (RDP), access to servers and website administrator panels.
  • MFA bypass has been a popular method deployed by IABs to gain access with circumvention techniques such as MFA brute force attacks, social engineering, and insider collusion being widely used. According to findings in SISA Top 5 Forensic-driven Learnings 2023-24 report, MFA persistence was primarily achieved through brute force or social engineering, with only 1% of cases involving insider cooperation.
  • In addition to Telegram channels being used effectively by IABs to trade access, some brokers are also seen moving away from public adverts to private conversations with RaaS groups, to avoid attention of enforcement agencies. This is particularly after a string of high-profile ransomware attacks, including Kaseya and Colonial Pipeline, has turned the spotlight on their operations.


The role of IABs in the realm of RaaS is continuously evolving. By understanding their shifting tactics, methods, and trends, organizations can better prepare themselves to mitigate the risk and impact of ransomware attacks. As IABs remodel their strategies, it is crucial for organizations to adopt robust security measures. Strengthening supply chain security, implementing multi-factor authentication, deploying advanced threat hunting solutions, and conducting regular training, are key steps to mitigate the threat of IABs.



SISA’s Latest
close slider