LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Intel Report

Initial Access Brokers: The Supply Chain Enabling Ransomware

An in-depth look at the Initial Access Broker (IAB) ecosystem -- how ransomware groups purchase network access, pricing structures, broker profiles, and what defenders can learn from understanding this market.

By Ransomware Tracker ·
initial access brokersIABdark webaccess marketcredential theftsupply chain
Threat Level
6/10
Sectors Targeted
cross-sector

Introduction

The professionalisation of ransomware operations has created a division of labour that mirrors legitimate business supply chains. Initial Access Brokers (IABs) are the wholesale suppliers of this criminal ecosystem: specialists who compromise enterprise networks and then sell that access — rather than monetising it themselves — to ransomware operators who have the infrastructure, encryptors, and extortion capabilities to convert access into revenue.

Understanding the IAB market is essential for defenders because it reveals where ransomware intrusions actually begin — often weeks or months before the encryptor runs, and through pathways quite different from the high-sophistication custom malware chains that security training tends to emphasise.

What IABs Sell

The commodity IABs sell is authenticated access to enterprise networks, typically in one of several forms.

Remote Desktop Protocol (RDP) Access

RDP accesses typically provide a Windows account credential (or an active, authenticated session) to a machine with RDP exposed to the internet. Listings specify the IP address or hostname, Windows version and domain membership, account privileges (user vs. local administrator vs. domain administrator), anti-virus product present (or claimed absence), and sometimes the company name.

RDP accesses are the most common IAB product by volume and the lowest-priced. A non-privileged RDP access to an SMB company might list for $50–$200.

VPN Credentials

VPN credential listings provide authenticated access to a corporate VPN. These are typically more valuable than raw RDP because VPN access implies access to the internal network rather than a single machine, and corporate VPN access is often a precursor to lateral movement into more sensitive segments. Common platforms in VPN listings: Cisco ASA/AnyConnect, Fortinet FortiGate, Pulse/Ivanti, Citrix NetScaler, Palo Alto GlobalProtect.

Pricing: $500–$10,000+ depending on company size and whether the credentials include MFA bypass or session token theft.

Web Shell Access

Web shell accesses are persistent, attacker-controlled code running on an internet-facing web application or server. The buyer receives connection instructions for the web shell (URL + password), giving them command execution on the host. Web shells are common in environments where a public-facing application has an unpatched RCE vulnerability and the IAB has exploited the CVE but prefers to sell the access rather than develop the intrusion further.

Corporate Account Credentials (Non-Active)

Some IAB listings are for credentials that haven’t yet been tested for active access — email and password combinations for corporate accounts, often obtained through phishing or information-stealing malware. These are at the low end of the value spectrum but represent a significant volume of listings.

Domain Administrator Access

The premium IAB product: confirmed domain administrator credentials or an active session with DA rights. These listings are comparatively rare, command high prices ($5,000–$100,000+ depending on company size), and move quickly because they dramatically compress the attacker’s time-to-ransomware.

Pricing Dynamics

IAB pricing has become increasingly sophisticated. Company revenue is the primary driver — IABs frequently price based on the victim’s estimated annual revenue, assessed from the company name, domain, and LinkedIn data. An access to a $10M company might list at $2,000; the same technical access to a $5B company might list at $50,000.

Healthcare, finance, and critical infrastructure accesses carry sector premiums because ransomware operators pay more for targets that face higher operational pressure to pay. U.S. accesses command the highest prices (highest average ransom payments), Western European accesses follow, with discounts for Asian markets where ransom payment rates are lower. Domain admin access is priced exponentially higher than user-level access.

Most IAB markets offer single-buyer sales — the access is removed from listing once purchased. Some offer non-exclusive sales at a discount, where multiple buyers receive the same access, though this is riskier since other actors may alert the victim.

2025–2026 pricing ranges:

  • Low-privilege RDP (SMB): $50–$500
  • VPN credentials (SMB): $500–$3,000
  • VPN credentials (enterprise): $3,000–$25,000
  • Domain admin (SMB): $5,000–$30,000
  • Domain admin (enterprise): $25,000–$150,000

The IAB Ecosystem: Platforms and Actors

The primary marketplace for IAB listings remains dark web cybercriminal forums. RAMP (Russian Anonymous Marketplace Platform) is a high-reputation forum requiring referrals for seller accounts, with listings tending toward larger, more premium accesses and moderator-enforced escrow reducing scam risk. Exploit.in and XSS.is are long-running Russian-language forums with dedicated IAB sections where established sellers maintain reputation scores.

A significant fraction of IAB activity has migrated to Telegram, particularly for lower-value accesses. Advantages include faster transaction speed and lower counterparty visibility risk than forum registration. The tradeoff is less reputation infrastructure and a higher scam rate. Some established IABs maintain Telegram storefronts as supplements to forum presence.

Established IABs with track records increasingly sell directly to trusted ransomware affiliate programs, bypassing public forums entirely. This private market is less visible but likely represents a significant portion of volume for premium accesses, particularly those in sectors ransomware groups actively target.

IAB Actor Profiles

Opportunistic vulnerability exploiters: Actors who monitor CVE disclosures and rapidly exploit newly vulnerable internet-facing systems (VPNs, MFTs, email gateways) immediately after — sometimes before — patches are released. They collect access at scale and list in batches.

Infostealer harvesters: Actors who operate or purchase data from information-stealing malware (RedLine, Lumma, Raccoon, Vidar) and comb the resulting credential logs for corporate accesses worth further development or direct listing.

Phishing specialists: Groups running high-volume business email compromise (BEC) and credential-harvesting phishing campaigns, occasionally selling the accesses they collect rather than using them directly.

Advanced access developers: Higher-skill actors who start with a commodity vulnerability exploitation but invest time developing access — gaining higher privileges, establishing persistence, mapping the environment — before selling the fully developed access at premium price.

Defender Implications

The IAB market means ransomware actors may be operating in your environment for days, weeks, or months before you detect anything. The initial exploitation is performed by a different actor than the ransomware operator, and the handover may involve knowledge transfer about your environment’s defensive capabilities.

Given this, monitoring priorities shift toward early indicators: unusual authentication from new or unexpected geographic locations for VPN and remote access; off-hours authentication for accounts that normally work business hours; new legitimate tools (RMM software, system utilities) appearing on servers that don’t typically have them; low-and-slow reconnaissance patterns including LDAP queries, network scans, and file share enumeration.

Infostealers targeting browser-saved credentials are a major IAB supply channel. Organisations should enforce password manager policies that store credentials outside browsers, implement phishing-resistant MFA (hardware keys or passkeys) for all internet-facing systems, and monitor dark web exposure of corporate credentials through commercial threat intelligence or free services.

The VPN and internet-facing application exposure that IABs exploit most heavily is directly reducible: maintain rigorous patch SLAs for internet-facing systems (48 hours for critical CVEs), evaluate zero-trust network access (ZTNA) to reduce VPN concentrator attack surface, and implement network access control to limit what a compromised VPN account can reach.

Understanding that ransomware begins not with the encryptor but with a sold credential or exploited VPN should reframe defensive investment toward the front of the attack chain.

// Related Intelligence
Intel Report

How Ransomware TTPs Are Evolving in 2026: BYOVD, Supply Chain Credentials, and ESXi Targeting

Intel Report

8Base and Phobos: Inside Operation PHOBOS AETOR and What Happened After

Group Profile

SafePay Ransomware: The Non-RaaS Group Claiming 400+ Victims with Conti-Derived TTPs