Report sheds light on use of initial access brokers in ransomware attacks

Initial access brokers have been a crucial component of the ransomware-as-a-service economy, reports ZDNet. A study from KELA revealed that at least five Russian ransomware gangs — namely Avaddon, BlackByte, Conti, DarkSide, and LockBit — have been using IABs. Avaddon was observed to add a United Arab Emirates-based steel product supplier on its domain three weeks after access to the company was posted for sale on a forum, while Conti exposed data belonging to a US manufacturer within two weeks after access was sold on the dark web. Moreover, LockBit ransomware was able to attack Bangkok Airways less than a month after securing AnyConnect VPN access from an IAB dubbed "babam." "Bangkok Airways did not disclose any investigation details, but based on the timeline, it is highly possible that the attack was performed using the bought access," said researchers. The report also showed that babam also traded access to Gyrodata, a mining technology company.