Initial access brokers (IABs) are increasingly going after large organizations with billion-dollar revenues, especially US victims and organizations working in the business services sector, according to new research from Cyberint.
The threat intelligence company analyzed its data from the past year-and-a-half to reveal that organizations with over $1bn in revenue made up 27% of all initial access listings for sale last year, rising to 33% in the first half of 2024.
In H1 24, targets had an average revenue of nearly $2bn, the report claimed.
“As a result, the largest organizations became more sought-after targets for access brokers, largely because of the increased income from the higher price they will demand,” it explained.
“Not surprisingly, we see this trend of targeting large scale organizations took place in 2024, with an average revenue of $1,961,335,406.50, which indicates an approximately 1000% increase.”
Read more on IABs: Initial Access Broker Activity Doubles in a Year
Much of this money was generated by attacks on US organizations (48%) – the most targeted country – and business services (29%) – the most targeted sector. Finance (21%), retail (19%), technology (17%) and manufacturing (14%) were also popular targets, as were France (19%) and Brazil (9%).
Yet despite the targeting of high-value organizations, the actual price of IAB listings fell in 2024, indicating the increasingly commoditized nature of the market.
In 2023, the average price for a listing was $3066, while the median price was $1500. However, 65% of listings last year were priced under $2000, and 77% were under $3000. In 2024, the average price dropped again to $1295 – around a 60% decrease.
“There are three primary types of IABs driving most ransomware attacks today. In 2023, those offering servers compromised through exposed Remote Desktop Protocol (RDP) were the most common (>60%). However, in 2024, VPN access surged, challenging RDP access for the top spot (45% VPN vs. 41% RDP),” the report explained.
Webshells were the third most common access type in 2023, Cyberint added.