Number of Darknet Access Sale Listings Increased Sevenfold
Experts from Positive Technologies analyzed the development of the access sales market in 2020 and early 2021, discovering that during this period, the number of darknet listings offering access for sale increased by more than seven times. Researchers note that the number of such listings in the darknet grew each quarter throughout the entire period under review. For example, in the first quarter of 2021 alone, 590 new listings were found, which is 83% of the total number of offers in 2020. Compared to the first quarter of 2020, the number of users posting ads to sell or buy access, as well as those seeking partners, tripled in the first quarter of 2021.
“The market for access to corporate networks has been actively forming over the past few years,” says Vadim Solovyov, Senior Analyst at Positive Technologies. “Its maturity could already be judged at the beginning of 2020. One of the factors contributing to this is the increase in attacks using ransomware, since partners or participants in ransomware affiliate programs often use offers from the access market.”
According to experts, on average, access to corporate networks is sold each quarter for a total of about $600,000. At the same time, the share of “expensive” accesses (costing more than $5,000) has halved. Experts believe these changes may be the result of increased participation by novice cybercriminals in the shadow market.
Total Value of Accesses Sold on Hacker Forums
The analysis showed that most often, attackers put up for sale access to companies in the services sector (17%), industry (14%), and science and education institutions (12%). The share of industrial companies and financial organizations—access to which traditionally costs more—has somewhat decreased. Analysts link this to the fact that the access market is being filled by less skilled players who prefer “easier” victims.
“We see that the attacker model is changing: the external attacker who gains initial access to a company’s network and the attacker who develops the attack inside are completely different in terms of skill level,” comments Yana Yurakova, Analyst at Positive Technologies. “Even if the perimeter is breached by a novice, professionals who purchased access on a darknet forum and have all the resources to achieve their goals—carrying out the most dangerous events for the company, from stealing money from the organization’s accounts to completely halting core operations for an extended period—will operate within the organization’s local network.”