Data ‘flea markets’ a treasure trove for ransom gangs, study finds


Illegal data sellers who make ransomware attacks possible are offering crucial data to other cybercriminals for as little as $10, a research company has found.

Cybersixgill found that procurers of data used by ransom gangs to perpetrate their attacks fell broadly into two categories. The more specialized initial access brokers (IABs) who sell data on specific companies are already quite well known; less publicized to date, but no less dangerous, are the wholesale access markets (WAMs), which the analyst describes as the “flea markets” of the cybercriminal underworld.

ADVERTISEMENT

Though their victim data is less reliable, what makes WAMs so enticing for would-be-ransomware actors is their cheapness: whereas an IAB will typically charge hundreds or even thousands of dollars for access to a company’s data, these flea marketeers offer more generic information about endpoint vulnerability – that is to say, cybersecurity flaws in digital equipment used by firms – for as little as $10 a pop.

“The prices are low, the inventory is enormous,” said Cybersixgill, citing some 4.3 million compromised endpoints it saw up for grabs on the dark web in 2021. “The quality is not guaranteed, as listings could belong to a random individual user or an enterprise endpoint. There is also no certainty that access is persistent or that the passwords will be unchanged.”

"The prices are low, the inventory is enormous."

Cybersixgill

However, just as a regular shopper in the real world might browse a conventional flea market in the hope of buying that one “diamond in the rough” for a song, it would appear cybercriminals are doing just the same on WAMs.

“Just like flea markets, it is possible to find a diamond,” said Cybersixgill. “If an actor can buy listings in bulk and just one of them belongs to an enterprise machine, $10 is a minuscule initial investment for an attack that can yield millions.”

Bots for sale

Ransom-hungry crooks certainly seem to have arrived at the same conclusion. Cybersixgill observed 3,612 attacks mentioned on leak sites in 2021 and found that just under one in five victims had had their system access data offered for sale on a WAM up to six months beforehand.

Moreover, in 312 cases, an organization was mentioned in multiple WAMs, meaning either that the same threat actors were selling access across various dark web markets or that multiple cybercriminals had found ways to breach the same organization.

ADVERTISEMENT

“Wholesale markets sell access to compromised endpoints, access over various remote protocols, and to platforms such as web shells, C-panel, and email,” said Cybersixgill.

Compromised endpoints offered for sale on WAMs typically come in two forms: bots, in this case, machines that might be used by a target company that have had backdoors installed in them, allowing threat actors direct access, and logs containing usernames, passwords, cookies, and other exfiltrated data “allowing an attacker to log in to any accounts accessed by the compromised machine.”

Cybersixgill assessed the median cost of these services at just $10 for a log and $14 for a bot after it averaged out 250 randomly selected listings taken from WAMs.

Of course, this means low overheads for an enterprising cybercriminal and is probably the main reason why many might opt to launch their ransomware careers on the back of information obtained from a WAM rather than the more costly IABs.

"It could be that IABs themselves are among the customers of WAMs. Perhaps they purchase logs and bots in bulk, determine if the system belongs to an enterprise, verify access, and sell it for a premium."

Cybersixgill

“In IABs, attackers know they are purchasing access to a specific organization,” said Cybersixgill. “They have information about its revenue, geography, and access vector. And the sellers can be trusted, as they have reputations to protect. But this polished product comes at a premium price.”

However, in an intriguing twist, the analyst found evidence to suggest that IAB operators themselves are hitting up their flea-market competitors in the hope of finding their own diamond at a bargain price – to sell on their own platforms at vastly inflated prices.

“It could be that IABs themselves are among the customers of WAMs,” said Cybersixgill. “Perhaps they purchase logs and bots in bulk, determine if the system belongs to an enterprise, verify access, and then sell it for a premium.”

A decent deal for time-rich crooks

While it acknowledged recent findings by fellow analysts Mandiant and Sophos, which put the average “dwell time” for threat actors at five and 11 days respectively within a breached organization before dropping the ransomware bomb, Cybersixgill stressed that this did not necessarily contradict its own discovery.

ADVERTISEMENT

“While we know when the bots and logs were listed for sale in the underground markets, we do not know when they were purchased,” it said. “It could be that some items linger for a while on these markets. While five days represents the median dwell time for ransomware attacks, it is presumable [sic] that attacks based on initial access from WAMs take much longer.”

It added: “Gaining access to a random compromised endpoint does not offer a quick path to complete network control. Getting there might require a deal of reconnaissance, social engineering, malware installation, and lateral movement.”

Thus, cybercriminals choosing this route to a ransomware attack cannot reasonably expect to get rich quickly. “While the initial access to an endpoint is inexpensive, it requires greater involvement,” said Cybersixgill.

The further within the six-month timeframe preceding a ransomware attack endpoint data was posted for sale, the more likely it was to be used. WAM-obtained data pertaining to an organization’s internal workings rather than a third party – for example, access to a device or account used by a client of the target – was also judged to be more effective.

“We looked at our results in three ways – timeframe, resource accessibility, and resource category,” said Cybersixgill. “We asserted that results with 30-day timeframes and internal access resources were likelier to be the attackers’ point of entry.”

Of the WAM data resources it observed, 212 belonging to 85 ransomware victims fit this description – 2.4% of the whole data set it analyzed. These included Bangkok Airways, US infrastructure company AECOM, and a high school in Massachusetts.

Screenshot of BA data offered for sale on dark web
Screenshot of notice posted by ransomware gang on August 28 claiming to have hacked Bangkok Airways, believed by Cybersixgill to have been facilitated by WAM-obtained data.

Data has many uses

Though it admits that its data findings are somewhat “messy,” Cybersixgill nevertheless insists that WAMs are a major contributor to ransomware attacks.

Furthermore, it believes that wholesale forums’ cybercriminal clientele is not limited to ransom gangs. “Ransomware is far from the only way to abuse access purchased in WAMs,” it said. “While major ransomware attacks take many steps and a level of sophistication that only several dozen groups in the world can pull off, there are plenty of more viable options.”

ADVERTISEMENT

It said these could include data exfiltration, social engineering, or “even simply sabotaging the system.”

“Many of these are relatively easier to execute and certainly within reach of the run-of-the-mill cybercriminal,” it added. “Therefore, we must presume that fewer-step and less sophisticated attacks account for the overwhelming number of attacks that began in wholesale access markets.”