LIVE
LATEST THREAT: Black Basta — The Ransomware Group That Thinks Like a Penetration Tester THREAT ALERT ACTIVE
Intelligence DB / Intel Report

Initial Access Brokers: The Supply Chain Enabling Ransomware

An in-depth look at the Initial Access Broker (IAB) ecosystem — how ransomware groups purchase network access, pricing structures, broker profiles, and what defenders can learn from understanding this market.

By Ransomware Tracker ·
initial access brokersIABdark webaccess marketcredential theftsupply chain
Threat Level
6/10
Sectors Targeted
cross-sector

Introduction

The professionalization of ransomware operations has created a division of labor that mirrors legitimate business supply chains. Initial Access Brokers (IABs) are the wholesale suppliers of this criminal ecosystem: specialists who compromise enterprise networks and then sell that access — rather than monetizing it themselves — to ransomware operators who have the infrastructure, encryptors, and extortion capabilities to convert access into revenue.

Understanding the IAB market is essential for defenders because it reveals where ransomware intrusions actually begin — often weeks or months before the encryptor runs, and through pathways quite different from the high-sophistication custom malware chains that security training tends to emphasize.

What IABs Sell

The commodity IABs sell is authenticated access to enterprise networks, typically in one of several forms:

Remote Desktop Protocol (RDP) Access

RDP accesses typically provide a Windows account credential (or an active, authenticated session) to a machine with RDP exposed to the internet. Listings specify:

  • IP address or hostname (sometimes just the geographic location and ISP)
  • Windows version and domain membership status
  • Account privileges (user vs. local administrator vs. domain administrator)
  • Anti-virus product present (or claimed absence)
  • Company name (sometimes disclosed, sometimes sold blind)

RDP accesses are the most common IAB product by volume and the lowest-priced. A non-privileged RDP access to an SMB company might list for $50–$200.

VPN Credentials

VPN credential listings provide authenticated access to a corporate VPN. These are typically more valuable than raw RDP because:

  • VPN access implies access to the internal network, not just a single machine
  • Corporate VPN access is often precursor to lateral movement into more sensitive segments
  • Some VPN products have documented vulnerabilities that facilitate privilege escalation

Common platforms in VPN listings: Cisco ASA/AnyConnect, Fortinet FortiGate, Pulse/Ivanti, Citrix NetScaler, Palo Alto GlobalProtect.

Pricing: $500–$10,000+ depending on company size and whether the credentials include MFA bypass or session token theft.

Web Shell Access

Web shell accesses are persistent, attacker-controlled code running on an internet-facing web application or server. The buyer receives connection instructions for the web shell (URL + password), which gives them command execution on the host.

Web shells are common in environments where:

  • A public-facing application has an unpatched RCE vulnerability
  • An IAB has exploited a CVE but prefers to sell the access rather than develop the intrusion further

Corporate Account Credentials (Non-Active)

Some IAB listings are for credentials that haven’t yet been tested for active access — email and password combinations for corporate accounts, often obtained through phishing or information-stealing malware (infostealers). These are at the low end of the value spectrum but represent a significant volume of listings.

Domain Administrator Access

The premium IAB product: confirmed domain administrator credentials or an active session with DA rights. These listings are comparatively rare, command high prices ($5,000–$100,000+ depending on company size), and move quickly because they dramatically compress the attacker’s time-to-ransomware.

Pricing Dynamics

IAB pricing has become increasingly sophisticated, incorporating several variables:

Company revenue as primary driver: IABs frequently price based on the victim’s estimated annual revenue, which they assess from the company name, domain, and LinkedIn data. An access to a $10M company might list at $2,000; the same technical access to a $5B company might list at $50,000.

Sector premiums: Healthcare, finance, and critical infrastructure accesses carry premiums — ransomware operators pay more because these sectors face higher operational pressure to pay ransoms.

Geography: U.S. accesses command the highest prices (highest average ransom payments). Western European accesses follow, with discounts for Asian markets where ransom payment rates are lower.

Privilege level: Domain admin access is priced exponentially higher than user-level access.

Exclusivity: Most IAB markets offer single-buyer sales (the access is removed from listing once purchased). Some offer non-exclusive sales at a discount, where multiple buyers receive the same access — riskier for the buyer since other actors may alert the victim.

2025–2026 pricing ranges:

  • Low-privilege RDP (SMB): $50–$500
  • VPN credentials (SMB): $500–$3,000
  • VPN credentials (enterprise): $3,000–$25,000
  • Domain admin (SMB): $5,000–$30,000
  • Domain admin (enterprise): $25,000–$150,000

The IAB Ecosystem: Platforms and Actors

Dark Web Forums

The primary marketplace for IAB listings remains dark web cybercriminal forums, principally:

RAMP (Russian Anonymous Marketplace Platform): High-reputation forum requiring referrals for seller accounts. Listings tend toward larger, more premium accesses. Moderator-enforced escrow reduces scam risk.

Exploit.in and XSS.is: Long-running Russian-language forums with dedicated IAB sections. Established sellers maintain reputation scores; newcomers must post small samples to establish credibility.

BreachForums and successors: English-language, with lower quality control but higher volume. More accessible to less sophisticated buyers and sellers.

Telegram Channels

A significant fraction of IAB activity has migrated to Telegram, particularly for lower-value accesses. Advantages: faster transaction speed, lower counterparty visibility risk than forum registration. Disadvantages: less reputation infrastructure, higher scam rate. Some established IABs maintain Telegram storefronts as supplements to forum presence.

Direct Sales to Ransomware Groups

Established IABs with track records increasingly sell directly to trusted ransomware affiliate programs, bypassing public forums entirely. This private market is less visible but likely represents a significant portion of volume for premium accesses, particularly those in sectors ransomware groups actively target.

IAB Actor Profiles

While individual attribution is difficult and changes frequently, several categories of IAB actors are observable:

Opportunistic vulnerability exploiters: Actors who monitor CVE disclosures and rapidly exploit newly vulnerable internet-facing systems (VPNs, MFTs, email gateways) immediately after — sometimes before — patches are released. They collect access at scale and list in batches.

Infostealer harvesters: Actors who operate or purchase data from information-stealing malware (RedLine, Lumma, Raccoon, Vidar) and comb the resulting credential logs for corporate accesses worth further development or direct listing.

Phishing specialists: Groups running high-volume business email compromise (BEC) and credential-harvesting phishing campaigns, occasionally selling the accesses they collect rather than using them directly.

Advanced access developers: Higher-skill actors who start with a commodity vulnerability exploitation but invest time in developing access (gaining higher privileges, establishing persistence, mapping the environment) before selling the fully developed access at premium price.

Defender Implications

What This Means for Detection

The IAB market means that ransomware actors may be operating in your environment for days, weeks, or months before you detect anything. The initial exploitation is performed by a different actor than the ransomware operator, and the handover may involve knowledge transfer about your environment’s defensive capabilities.

Key monitoring priorities given IAB dynamics:

  • Unusual authentication from new or unexpected geographic locations for VPN and remote access
  • Off-hours authentication for accounts that normally work business hours
  • New legitimate tools (RMM software, system utilities) appearing on servers that don’t typically have them
  • Low-and-slow reconnaissance patterns: LDAP queries, network scans, file share enumeration

Credential Hygiene

Infostealers targeting browser-saved credentials are a major IAB supply channel. Organizations should:

  • Enforce password manager policies that store credentials outside browsers
  • Implement phishing-resistant MFA (hardware keys or passkeys) for all internet-facing systems
  • Monitor dark web exposure of corporate credentials through commercial threat intelligence or free services

Attack Surface Reduction

The VPN and internet-facing application exposure that IABs exploit most heavily is directly reducible:

  • Maintain rigorous patch SLAs for internet-facing systems (48 hours for critical CVEs)
  • Evaluate zero-trust network access (ZTNA) to reduce the attack surface of VPN concentrators
  • Implement network access control to limit what a compromised VPN account can reach

Understanding that ransomware begins not with the encryptor but with a sold credential or exploited VPN should reframe defensive investment toward the front of the attack chain.

// Related Intelligence
Intel Report

2026 Ransomware Payment Trends: Demands, Negotiations, and Sector Breakdown