What We Do
How We Do
Get Started

How the Biggest Ransomware-as-a-Service (RaaS) Operators Gain Initial Access to Your Environment

BY Eldon Sprickerhoff

April 3, 2024 | 5 MINS READ


Managed Detection and Response


Threat Intelligence

Threat Response Unit

Want to learn more on how to achieve Cyber Resilience?


Did you know that the entity that deploys ransomware in an environment may not actually be the entity that originally breaks in? In recent years, separate threat actors known as Initial Access brokers have emerged, specializing in obtaining and reselling covert access to their victims. These Initial Access Brokers then sell the access to ransomware-as-a-service (RaaS) threat actor groups and affiliates, who use the access to get into your environment, compromise sensitive data, and deploy ransomware.

Think of it this way – instead of a burglar breaking and entering into a house and rummaging it to steal the valuables, a RaaS operator obtains access through some method (e.g., a window left ajar, a door left unlocked) and then markets and sells that access on the dark web to someone else to burgle.

Once stealthy access is gained, the threat actor maintains connectivity to the victim and publishes their access to potential purchasers. These purchasers can then choose to perform their nefarious tasks, including potentially ransomware deployment, data theft and extortion, and espionage.

Most Common Initial Access Vectors Used

How do these Initial Access Brokers even gain initial access in the first place? There are several methods, some requiring subterfuge or misdirection, some being direct attacks against the organization, others using upstream service providers or trusted partners. These include:

Out-of-Scope Endpoints / Unknown Access

While many of these initial access vectors can be minimized or at least better-defended-against with proper cybersecurity defense tactics and rigor (including modern and effective endpoint software, hardened infrastructure, monitoring, and response capabilities) we have discovered that in many instances there are significant gaps or “blind spots” in coverage.

For example, a customer may choose not to install endpoint software on all of their servers, resulting in what’s known as ‘out-of-scope’ endpoints. If a server is externally facing and a vulnerability is discovered by an attacker, that “blind spot” provides a convenient vector of entry. From that single instance, it is considerably more difficult to defend the entire organization once the attacker gains a firm foothold within the blind spot.

Email-based Attacks (Phishing or Business Email Compromise)

These are among the most classic inbound vectors to gain illicit access. An attacker sends emails out to innumerable email addresses with either malicious attachments, URLs, or more recently QR codes. While only a small fraction of the targets will actually click on the links or open the attachments, this is a relatively low-risk method to gain access.

Due to a combination of improved anti-phishing technology, security awareness training and reporting, the proportion of email-based attacks used to gain initial access has fallen in recent months but has been supplanted by browser-based attacks.

Browser-based Attacks

Browser-based attacks require the end user to initiate the download of malicious materials intended to gain initial access. There are four primary methods threat actors use to socially engineer employees:

Valid Credentials

Some attackers will comb through credential caches from websites that have been previously exploited. In situations where two-factor authentication (2FA) is not used, static usernames and passwords can be obtained and reused.

Along with this, brute force password login attempts can yield initial access to attackers. Note that the use of strong 2FA can minimize much of the significance of these attacks but it is not a panacea; attackers have built other attack methods to impersonate legitimate users through 2FA.

External Vulnerabilities

All non-trivial software hosts vulnerabilities, and often attackers will probe targets for vulnerabilities in externally facing infrastructure, including weak code or misconfiguration. Websites running unpatched code are a frequent vector, but more concerningly remote access software (including VPN access) has been susceptible to attacks.

Once a remote attacker gains control of the remote access environment, they are generally able to move throughout the organization freely. The ConnectWise/ScreenConnect incidents in the last month are an example of the seriousness of this attack vector. However, there have been many others in the recent past, including Fortinet VPN and Kaseya vulnerabilities.

Trusted Third-Party Entities

Attacking a trusted third-party entity that has administrative-level access into hundreds or even thousands of client entities is one particularly effective method by which initial access can be gained. The effort required to gain access to one entity that holds “the keys to a thousand kingdoms” is not generally much more than of a smaller one, and the payoff can be considerably higher. Trusted third-party service providers must be considered possible vectors of attack, and rigor should be used to evaluate third party vendors, and to monitor and secure access accordingly.

Key Recommendations to Defend Against Initial Access Vectors

The best defense against modern ransomware attacks is to continually defend against the “thin edge of the wedge” – the initial access vector used. These tactics include:

Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Advisor

Eldon Sprickerhoff is the original pioneer and inventor of what is now referred to as Managed Detection and Response (MDR). In founding eSentire, he responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as a subject matter expert in information security analysis. Eldon holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.

Read the Latest from eSentire