The U.S. remained the top target for Initial Access Brokers (IABs), with 31% of all access listings aimed at American entities. But in 2024, Brazil (7%) and France (5%) have emerged as fast-rising targets. Analysts believe this shift could be due to expanding digital infrastructure and relatively weaker cybersecurity defenses in these countries.
This was revealed in a new report compiled by Cyberint, a Check Point company.
Initial Access Brokers (IABs) are threat actors who specialize in breaking into networks, systems, or organizations and then selling that access to other malicious actors on underground forums. Rather than carrying out full-scale cyberattacks themselves, IABs focus solely on gaining entry—and then monetizing it.
The Supply Chain Behind Ransomware
The report, which draws on over two years of dark web research across top cybercrime forums like Ramp, Breach, XSS, and Exploit, reveals how IABs are becoming more strategic, more selective, and ultimately more dangerous.
Across the top 10 most-targeted nations, IAB listings surged by 90% in 2024, suggesting that attackers are no longer casting a wide net—they’re honing in on countries with economic potential or high-value data.
SMBs in the Crosshairs
The report also reveals that threat actors are increasingly targeting smaller entities. In 2024, companies with annual revenues between $5 million and $50 million made up 60.5% of all initial access listings. These businesses are seen as easier targets, possibly due to weaker security setups.
As a result, the average revenue of compromised companies dropped from $1.38 billion in 2023 to $1.28 billion in 2024.
Shifting Tactics: From RDP to VPN
IABs are also changing the way they gain access. In 2023, more than 60% of brokers were selling access via exposed Remote Desktop Protocol (RDP) servers. But last year, VPN access surged to 33%, a reflection of how attackers are adapting to remote work environments.
Listings for corporate access typically range from $500 to $3,000, though some high-value listings can exceed $10,000.
“The Venture Capitalists of Ransomware”
“Initial Access Brokers are the venture capitalists of ransomware. They invest effort in breaches and profit by selling access, empowering the entire cybercrime supply chain,” said Adi Bleih, Security Researcher at Check Point External Risk Management.
“Organizations must shift from reactive to proactive security: patch aggressively, segment networks, and monitor deep and dark web chatter to disrupt access before it’s sold,” Bleih added.
Enabling Ransomware
Initial Access Brokers don’t launch ransomware attacks—they enable them. By auctioning off access to compromised systems, they make it easy for ransomware gangs, nation-state actors, and other cybercriminals to “log in and launch.” It’s low-risk, scalable, and highly profitable.
This business model fuels everything from ransomware-as-a-service (RaaS) to corporate espionage, making IABs a critical part of the global threat ecosystem.
How to Defend Against IABs
Cybering recommends a multi-layered defense strategy, including both technical and business measures:
- Use multi-factor authentication (MFA) on all remote access points.
- Limit and monitor services like RDP and VPN.
- Upgrade endpoint protection—don’t rely on default tools like Windows Defender alone.
- Regularly audit user permissions and credentials.
- Monitor underground forums using threat intelligence tools for early warning signs.
The takeaway is clear: organizations must act before their access is sold on the dark web. Being proactive isn’t just smart—it’s necessary.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.