Cyberattacks are growing in number every year—by 19 percent in 2019 alone 1. One of the main reasons is the low barrier to entry. The Internet's shadier side teems with illegal marketplaces for malware and services used to breach corporate networks. Low-skilled hackers have quickly learned how to put them to good (or rather, bad) use.
In this article, we will explain what "access for sale" and "ransomware partner program" mean, how dangerous these threats are, and the risks they pose for businesses.
Definition of access
"Access for sale" on the darkweb is a generic term, referring to software, exploits, credentials, or anything else that allows illicitly controlling one or more remote computers. Successfully hacking a website, web server, database, or workstation means that the attacker has access. This access can be transferred or sold to third parties, just like house keys. But for our purposes here, we will only cover access to servers and workstations.
Only one or two years back, criminals seemed to be more interested in individual servers. Access to them was sold on the darkweb for up to $20 a pop.
However, starting in the second half of 2019, we have seen an increasing number of postings on hacker marketplaces 2 advertising access to local corporate networks.
Some buyers offer lucrative terms and an ongoing relationship. For example, they may pay out a commission of up to 30 percent of the potential profit for a hack of the infrastructure of a company with annual income exceeding $500 million.
Demand creates supply. At the end of 2019, over 50 accesses to the networks of major companies from all over the world were publicly available for sale. Among the victims were some rather large companies, with annual income running into the hundreds of millions or even billions of dollars.
In the U.S., criminals mostly sell access to service sector companies (20%), industrial companies (18%), and government institutions (14%). In Italy, the order was reversed: industrial companies (25%) are followed by service sector companies (17%). In the United Kingdom, the service sector accounts for 33 percent, science and education for 25 percent, and finance for 17 percent. Government institutions (20%) and healthcare (10%) lead in Brazil. In Germany, IT and services each account for 29 percent of accesses for sale. In number six position is Australia, for which most offers involve access to government or science and education. However, by their nature these statistics give a limited picture: in 17 percent of cases, the sellers do not indicate any country in their posts. Many sellers may not advertise their wares at all.
In general, the asking price is in the range of $500 to $100,000. The average cost of privileged access to a single local network is on the order of $5,000.
In the past, middling hackers had a hard time monetizing attacks: they did not have the skills to pursue an attack to the point of obtaining a payoff or valuable data. But with the current market demand, they can make a steady income by selling to other criminals.
Buyers can then develop an attack on business systems or hire a team of more skilled hackers who can quickly obtain domain administrator privileges and infect critical servers with malware.
The first ones to use this scheme were ransomware operators, who bought access for a fixed price from one set of criminals and then hired other criminals to infect local networks with malware in return for a large percentage of the victim's ransom. On darkweb forums, this setup is known as a "ransomware affiliate program."
Consequences for companies
Large companies stand to become a source of easy money for low-skilled hackers. External attacks on corporate infrastructures will increase significantly. This issue is especially acute now that so many employees are working from home. Hackers will look for any and all security lapses on the network perimeter, such as an unprotected web application, non-updated software, or incorrectly configured server with a weak administrator password. The larger the hacked company is, and the higher the obtained privileges, the more profitable the attack becomes.
Small and medium-sized companies are commonly believed to be at greater risk from script kiddies 3 due to smaller investments in network security. Being able to spend more, large companies should be better protected. But penetration tests by our experts prove that even the largest companies are vulnerable. Our testers find easy ways to penetrate local networks that do not require particular skill on the part of potential attackers. All the same, small and medium-sized companies have less money available to put into security and, therefore, are at even greater risk.
Companies should ensure comprehensive infrastructure protection, both on the network perimeter and within the local network. Make sure that all services on the perimeter are protected and security events on the local network are properly monitored to detect intruders in time. Regular retrospective analysis of security events allows discovering previously undetected attacks and addressing threats before criminals can steal data or disrupt business processes.
- We analyzed postings on 190 darkweb sites about purchase or sale of malicious tools, as well as custom malware development. We focused on forums, specialized marketplaces, and chat platforms with predominantly Russian- and English-speaking users. On average, over 70 million people visit them each month.
- Those who use other people's software to attack computer systems and networks or deface websites. The prototypical script kiddie is a teenager, unable to write their own complex programs or exploits, who seeks to impress friends or fellow computer enthusiasts. Age is not the defining feature, however.