Organizations at growing risk from initial access brokers – a fast growing class of cybercriminal who breach firms and then charge others to do the ‘dirty work’

Thriving on disruption to business process and remote working caused by pandemic as listings for RDP and VPNs increase with an average price of $7,100


London and San Francisco, February 23, 2021 – Digital Shadows, the leader in digital risk protection, has today highlighted the growing role of Initial Access Brokers within the criminal ecosystem. Rather than infiltrating an organization deeply, this type of threat actor operates as a ‘middleman’ by breaching as many companies as possible and goes on to sell access to the highest bidder – often to ransomware groups. Their method of operating is flourishing during the pandemic as employees increasingly log in to systems remotely. Cybercriminals are exploiting this by scanning at scale for vulnerabilities which allow remote access such as in virtual private networks (VPNs) and selling this on.

Digital Shadows has been studying this class of criminal since 2016, however in the last year it has detected a notable increase in their activity and listings. Many criminal marketplaces have reorganized to bring such advertisements into dedicated sections and currently number some 500 in a snapshot that Digital Shadows has taken of the most popular forums. Many sellers have good feedback from other criminals, indicating their claims are genuine.

The average selling price for access is $7,100 with the price based on the organization’s revenue, type of access sold, number of employees, and number of devices accessible. RDP (remote desktop protocol), access enables an attacker to take over a victim’s computer and is the most common type listed, at 17% of the total. It also commands the highest average price of $9,800. RDP is a particular concern in the battle against ransomware, with an FBI spokesperson 1 stating that, ‘RDP is still 70-80% of the initial foothold that ransomware actors use.’ It is also believed to have been a factor in a recent breach at a Florida water treatment facility where attackers sought to remotely control the chemical levels in the supply.

Domain administrator access is also prized and consists of 16% of the listings with an average price of $8,187. Listings for VPN access have flourished off the back of increased remote working trends and will grant access to an organizations company network for an average price of $2,871. This constitutes 15% of the total with Citrix access (7%), control panel (6%), content management systems (5%), and shell access (5%) also exploits advertised.

Rick Holland, CISO at Digital Shadows, comments: “The dramatic increase in remote working coupled with ransomware’s commercial success has been a perfect storm of opportunity for initial access brokers. These actors are cashing in because of the flourishing demand and their specialization. They concentrate on one aspect of the cybercriminal ecosystem, gaining access to your network, and they do it very well. They then pass the baton on to other criminals and move on to their next target. Due to their ability to successfully compromise organizations of all sizes, initial access brokers’ prominence has increased within the cybercriminal underground.”

It is the view of Digital Shadows that there is an opportunity for defenders to thwart potential attacks, particularly by identifying an IAB listing that is clearly impacting their organization. Digital Shadows has proposed mitigation strategies against each of the most exploited vulnerabilities, namely RDP, VPN and WebShell available at this link.


Digital Shadows minimizes digital risk by identifying unwanted exposure and protecting against external threats. Organizations can suffer regulatory fines, loss of intellectual property, and reputational damage when digital risk is left unmanaged. Digital Shadows SearchLight™ helps you minimize these risks by detecting data loss, securing your online brand, and reducing your attack surface. To learn more, visit