TL;DR: Initial Access Brokers are specialized criminals who breach organizations, establish persistent access, and sell that foothold to ransomware groups and other threat actors. Your organization may already be listed for sale on a darknet forum without any visible indication of compromise. Reducing IAB exposure starts with eliminating the external attack surface they exploit most.
The IAB Business Model: Specialization in the Ransomware Supply Chain
The ransomware ecosystem has professionalized. Where early ransomware operators handled every phase of an attack — initial compromise, lateral movement, data theft, encryption, and extortion — modern operations are structured more like business verticals with defined specializations. Initial Access Brokers occupy one of the most economically critical positions in this supply chain.
An IAB's core competency is getting into corporate environments. They invest in expertise around exploiting exposed RDP endpoints, unpatched VPN appliances (Fortinet, Pulse, Citrix, SonicWall, and Ivanti have all been heavily targeted), phishing-based credential harvesting, and credential stuffing using breach datasets. Once inside, they establish persistence — typically a webshell on an internet-facing server, a scheduled task running a C2 implant, or simply storing valid credentials — and then they move on to their next target. The actual exploitation of the access they have established is someone else's problem, and someone else's purchase.
This separation of concerns is what makes IABs so dangerous from a corporate risk perspective. The threat actor who ultimately deploys ransomware in your environment may have had access for weeks or months before the attack, during a period when all visible indicators pointed to the original broker's quiet, low-profile persistence mechanism rather than an active intrusion.
What Gets Listed for Sale — and What It Costs
IAB listings on darknet forums and private Telegram channels are remarkably detailed. A typical listing includes the target company's name or industry, employee count, annual revenue (sourced from public databases), the type of access available, and in many cases the specific systems or network segments accessible. Buyers can evaluate the strategic value of a target before committing to a purchase price.
| Access Type | Typical Price Range | Target Profile | Ransomware Attractiveness |
|---|---|---|---|
| VPN Credential Set (standard user) | $500 – $2,000 | Mid-market, no MFA enforced | Moderate — requires further privilege escalation |
| RDP Access (local admin) | $1,000 – $5,000 | SMB to mid-market, exposed port 3389 | High — can pivot to adjacent systems |
| Webshell on Internet-Facing Server | $2,000 – $8,000 | Any sector, unpatched web application | High — persistent, survives credential rotation |
| Citrix / VMware Horizon Session | $3,000 – $15,000 | Enterprise, healthcare, financial services | Very high — broad internal network access |
| Domain Admin / Enterprise Admin | $10,000 – $50,000+ | Large enterprise, high revenue targets | Critical — encryption and domain-wide exfiltration ready |
| Cloud Console Access (AWS/Azure root or admin) | $5,000 – $30,000 | Tech companies, SaaS, data-rich organizations | Very high — data exfiltration and infrastructure destruction |
The price ceiling is driven by the buyer's expectation of ransomware revenue. If a ransomware group anticipates a multi-million dollar extortion payment from a healthcare network, paying $40,000 for a domain admin foothold is a rational investment. This market dynamic means that larger, higher-revenue organizations face disproportionately higher IAB targeting.
The IAB-to-Ransomware Pipeline in Practice
The operational connection between IABs and ransomware groups is well-documented. Threat intelligence reporting on major ransomware operations has consistently identified initial access purchasing as a standard operating procedure. The Cl0p group's exploitation campaigns against MOVEit and GoAnywhere vulnerabilities involved selling some portions of access to secondary operators. LockBit affiliates and ALPHV (BlackCat) operators regularly purchased accesses from IAB forums to supplement their own compromise operations.
The pipeline typically operates as follows: an IAB identifies and exploits a vulnerability in an internet-facing system — often within hours of a CVE becoming public knowledge, before enterprise patch cycles can respond. They establish persistence, verify the access is stable, and list it on a forum or broker it privately to known buyers. A ransomware affiliate purchases the access, conducts internal reconnaissance over days or weeks, escalates privileges, exfiltrates sensitive data for leverage, and then deploys ransomware for the actual extortion event.
From the victim organization's perspective, the first visible indicator of compromise is often the ransomware itself — by which point weeks of undetected access have already occurred.
Assessing Your IAB Exposure
The question is not whether IABs are targeting your industry — they are. The relevant question is whether your external attack surface presents the specific vulnerabilities that IABs exploit most efficiently.
IABs are rational economic actors. They exploit targets that offer the best return on investment relative to the effort required. An organization with exposed, unpatched VPN appliances, RDP accessible from the internet without MFA, and credentials present in breach datasets is an extremely attractive target. An organization with certificate-based VPN authentication, no internet-exposed administrative interfaces, and continuous external attack surface monitoring is a significantly harder and less profitable target — one that IABs will typically pass over in favor of easier opportunities.
A continuous attack surface management program identifies the specific exposures that IABs exploit: internet-facing services, their software versions, known CVEs, and the timing of when new exposures appear. This is precisely the visibility that IABs have about your organization — and that your security team often lacks.
Defensive Priorities That Directly Reduce IAB Risk
The defensive controls that most effectively reduce IAB exposure map directly to the techniques IABs rely on for initial compromise.
- MFA on all remote access without exception: VPN credential sets are only valuable if they can be used without a second factor. A stolen username and password pair with MFA enforced is worth nothing to an IAB. This single control eliminates the largest category of IAB-sold access.
- Certificate-based VPN authentication: Moves authentication away from credential sets entirely, eliminating the credential stuffing and phishing attack vectors that IABs rely on for most VPN compromises.
- 24-48 hour critical CVE patching for externally exposed services: IABs monitor CVE disclosures and begin exploitation within hours of PoC availability. A 30-day patch cycle for externally exposed services is effectively an invitation. Emergency patching procedures for internet-facing systems are non-negotiable at any organizational maturity level.
- Elimination of internet-exposed RDP: Port 3389 should not be accessible from the internet. Remote management should occur through a VPN or zero-trust access gateway, not direct RDP exposure.
- Credential compromise monitoring: Services that continuously monitor darknet breach datasets and credential marketplaces can alert your security team when corporate credentials appear in breach data — before an IAB converts them into a listed access sale.
- Continuous external attack surface visibility: Shadow IT, forgotten test environments, and newly deployed cloud infrastructure regularly create exposure that your security team doesn't know about but IABs will find through automated scanning.
Key insight: IABs are opportunistic at scale but rational in target selection. They do not bypass MFA by hand for every target — they scan for organizations where MFA is absent or inconsistently enforced. Closing the most commonly exploited entry points is not just a defensive measure; it redirects IAB attention toward softer targets in your industry.
Lorikeet Security's attack surface management capability provides continuous visibility into exactly what IABs see when they scan your external perimeter — and flags the specific exposures that carry the highest IAB risk. If you want to understand your current IAB exposure before a broker lists your network for sale, an external attack surface assessment is the appropriate starting point. Contact us to discuss your organization's specific external exposure profile.
Understand What IABs See When They Look at Your Organization
Lorikeet Security's external attack surface assessments map your internet-facing exposure from an attacker's perspective — identifying the specific services, credentials, and vulnerabilities that Initial Access Brokers target most.
