Gaining illicit access to an organization’s network has developed into its own niche cybercrime industry. Those who specialize in this trade are known as IABs, and they occupy a crucial role within the financially motivated cybercrime landscape. They compromise and subsequently sell unauthorized access to corporate networks or resources. The type of access offered can be in various forms, from stolen login credentials to knowledge of a vulnerability or a system misconfiguration. IABs effectively serve as facilitators for a diverse array of downstream threat actors — notably ransomware-as-a-service (RaaS) and data extortion operators — allowing them to skip the laborious step of identifying potential victims and hacking a system and instead move on to the next phase: lateral movement, escalating privileges and exfiltrating data. IAB offers primarily are disseminated through clandestine forums and underground marketplaces, which creates a comfortable scenario that limits their association with breaches and makes it hard to identify potential buyers.
It’s not possible to confirm with absolute certainty that a particular underground offer of access was the means of a particular data breach or ransomware attack. However, we do know that ransomware groups source access from brokers. One example involves the Black Basta ransomware group. In February 2025, a leaker going by the nickname ExploitWhispers published more than 197,000 chat messages belonging to Black Basta, which was one of the most damaging ransomware groups of all time. The chat messages provide detailed insight into the day-to-day workings of this cybercrime group and the tactics, techniques and procedures (TTPs) it used. They also reveal the various duties and responsibilities of its members. Group members who went by the handles usernameugway and usernamehunter, among others, were responsible for sourcing access, including from access brokers. We identified that Black Basta posted a bid for an unauthorized access offer advertised on the Exploit forum Oct. 25, 2023, by the actor nixploiter, which concerned an undisclosed U.S.-based entity.
Additional evidence of the sourcing of access from brokers can be found further back. The leader of Black Basta, the threat actor tramp aka usernamegg, GG, Oleg Nefedov, was a central figure in the Conti RaaS group, which was active from about late 2019 until about May 2022. In November 2021, tramp sought initial access to companies based in Australia, Canada, Germany, the U.K. or the U.S. with the intent of deploying Conti ransomware. The actor expressed interest in two business models — purchasing compromised access credentials from network access brokers or partnering with network access providers using a profit-sharing plan (read more about tramp in our blog post “Black Basta exposed: A look at a cybercrime data leak (https://www.intel471.com/blog/black-basta-exposed-a-look-at-a-cybercrime-data-leak)”).
Two examples of initial access offers affecting entities the Black Basta ransomware group later attacked.
This blog post examines possible correlations between access broker offers and ransomware or data extortion victims between June 2024 and May 2025. The data reveals possible associations between high-profile access vendors and ransomware gangs, the average time span between an initial access offer and a ransomware claim and other analytical insights.
The methodology for this report leveraged information gathered from reliable sources operating in the underground to identify victims in access offers based on their official websites and business names, which then was cross-referenced with the publicly disclosed victims on ransomware operator blogs. The time between an access offer and the victim’s disclosure on a blog ranged from zero to 100 days — a time frame we consider plausible for most situations based on our observations of activity in the underground. While the underground sources obtained insights from buyers in some cases, the correlation may be circumstantial due to a lack of additional evidence to confirm that a claimed access indeed was used during an intrusion.
From June 2024 to May 2025, we observed and reported 4,878 claims of IABs offering to sell compromised credentials and/or alleged unauthorized access to networks or systems. We identified at least 70 possible correlations between these offers and victims ransomware or extortion groups claimed. The correlations were associated with 42 access vendors and 32 ransomware and data extortion groups. The smallest breach window between an IAB offer and ransomware group victim claim was two days. We also observed one case where a ransomware group claimed a victim that an access broker offered the same day. Additionally, we observed 12 victims ransomware groups claimed to compromise prior to being claimed by IABs in the underground. The average breach window between offering compromised access and adding a victim entity to a data leak blog was about 19 days.
The number of correlations between IABs and ransomware and data extortion groups per month from June 2024 to May 2025.
From June 2024 to May 2025, the top five IABs whose offers most correlated with ransomware groups were sandocan, Pirat-Networks, ProfessorKliq, SantaAd and WilliamNellison. We observed at least 24 instances of cooperation between these access vendors and ransomware groups, comprising about 34% of all collaborations during the reporting period. Among these threat actors, sandocan showed the most diverse connections to ransomware groups, with RansomHub being the most common. The actor Pirat-Networks was the second most active access vendor and had the longest average breach window among the active IABs. Furthermore, WilliamNellison exhibited a strong link to the Play ransomware group, with three victims advertised on Play's data leak site following unauthorized access the actor offered on underground forums with an average breach window of 12 days.
The duration from an initial access offer to the victim appearing on a data leak blog from June 2024 to May 2025.
From June 2024 to May 2025, sandocan claimed to compromise 616 entities. The actor’s primary modus operandi involved the illicit acquisition and provision of unauthorized access credentials to Microsoft Remote Desktop Web (RDWeb (https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remote-desktop-web-client-admin)), which lets users access Microsoft’s remote access tool through a web browser.
We identified at least eight instances where sandocan's advertised access offers directly preceded and corresponded with claims of ransomware or extortion incidents attributed to a variety of prominent ransomware groups. These groups included Cactus, Inc., Kairos, Lynx, Medusa, RansomHub and Sarcoma, which demonstrates the broad spectrum of ransomware families leveraging sandocan's initial access. The average window between sandocan's access advertisement and a ransomware group listing the organization as a victim was 30 days. This relatively short time frame highlights how quickly ransomware actors exploit initial access, emphasizing the critical need for rapid detection and response upon compromise.
From June 2024 to May 2025, Pirat-Networks allegedly impacted 119 entities. The actor’s primary modus operandi involved the illicit offering of unauthorized access credentials, with a particular focus on Microsoft RDWeb technologies. We identified at least seven instances where Pirat-Networks’ advertised access offers directly preceded and corresponded with claims of ransomware or extortion incidents. The ransomware variants leveraged by threat actors who used Pirat-Networks’ access offers were diverse, indicating a wide range of partnerships or clientele. These variants included Embargo, Everest, Play, Qilin, Sarcoma and RALord. This portfolio underscores the versatility and reach of Pirat-Networks’ operations within the cybercrime ecosystem. The average breach window was 41 days, which highlights relatively swift operationalization of the access.
From June 2024 to May 2025, ProfessorKliq allegedly impacted 175 entities. The actor’s primary modus operandi involved the illicit offering of unauthorized access credentials, with a particular focus on Microsoft RDWeb technologies. We identified at least three instances where ProfessorKliq’s advertised access offers directly preceded and corresponded with claims of ransomware or extortion incidents. The specific ransomware variants identified were Interlock, Play and Rhysida. On average, there was a 27-day period between ProfessorKliq's initial access offer on underground forums and when a ransomware or extortion group posted the corresponding organization as an alleged breached entity. This time frame demonstrates the immediate threat posed to compromised organizations.
Between June 2024 and May 2025, we observed at least 34 distinct ransomware groups that appeared to be collaborating with IABs. The Play ransomware group demonstrated the highest level of activity, followed by RansomHub, Everest, Medusa and Sarcoma in descending order. These groups possibly collaborated with IABs 36 times, comprising 50% of all collaborations during the reporting period. The breach window between an access offer and ransomware group claim ranged from an average of two to 21 days.
The number of correlations between the top five ransomware groups and IABs from June 2024 to May 2025.
The Play ransomware group emerged in June 2022 and rapidly became a significant threat, claiming more than 800 compromised entities globally across diverse industries. A detailed analysis of its activity from June 2024 to May 2025 reveals a focused targeting strategy, with 354 alleged compromises predominantly affecting the manufacturing, real estate, and consumer and industrial products sectors. During the reporting period, Play ransomware operations were closely linked to 15 compromised access offers facilitated by IABs. Further examination of these correlations identified 13 distinct access vendors involved, with WilliamNellison emerging as the most frequent. Observed cooperation with a variety of other access vendors indicates a deliberate strategy by Play to diversify its initial access vectors. This suggests a tactical approach to exploit multiple entry points, enhancing resilience and reach. Additionally, the U.S. comprised the majority of Play ransomware attacks, with 11 victims in the analyzed time frame, followed by Canada with two victims and Germany and Luxembourg with one victim each. This distribution highlights a primary focus on North American targets, with a secondary yet notable presence in key European economies.
The RansomHub ransomware group first appeared in early February 2024 and maintained an active presence until early April 2025 when it dissolved. At that time, the actor dragonforce of the DragonLeaks RaaS affiliate program claimed in a post on the RAMP cybercrime forum that the RansomHub RaaS "decided to move to" DragonForce's infrastructure, apparently hinting at a takeover.
During its run, RansomHub established a significant footprint and claimed to compromise more than 600 entities globally across a diverse array of industries. From June 2024 to April 2025, the group allegedly compromised 567 entities, with a notable prevalence in the consumer and industrial products, real estate and manufacturing sectors. This suggests a strategic targeting approach, possibly aiming for industries with high potential for financial gain or vulnerable supply chains. The group was associated with nine compromised access offers facilitated by IABs. Correlations were identified with seven distinct access vendors, of which sandocan and SantaAd emerged as the most frequent — each appearing twice.
This recurring association suggests a degree of trust or established working relationships between RansomHub and these IABs. However, given RansomHub's alleged cooperation with a wide variety of other IABs, it is highly probable the group actively sought to diversify its initial access vectors, demonstrating a flexible and opportunistic approach to compromising target networks. The U.S. was the most-targeted country with three victims, followed by the U.K. with two victims and Australia, India, Pakistan and Puerto Rico with one victim each. The RansomHub group recently dissolved, and we assessed many of its affiliates likely migrated to the Qilin RaaS. Therefore, the behaviors observed in the IAB domain possibly could manifest within the Qilin group.
Establishing partnerships with actors of various expertise remains a crucial part of the underground economy. Collaboration between IABs and ransomware programs provides not only high profits for access vendors, but also a viable access vector for ransomware groups. It is not a rare occasion when one access vendor cooperates with multiple ransomware groups and vice versa, but it is of particular interest when a ransomware group cooperates with the same IAB multiple times. The consistent links indicate a level of trust or existing operational ties between ransomware groups and specific IABs. We observed the Play and RansomHub ransomware groups cooperate with WilliamNellison and a tandem of sandocan and SantaAd, respectively, on multiple occasions. At the same time, the wide array of ransomware families associated with a single high-profile IAB, such as sandocan or Pirat-Networks, indicates their role as a pivotal enabler for multiple ransomware operations, effectively acting as a crucial first step in a myriad of attack chains. This highlights their indiscriminate approach to selling access — catering to any group willing to pay.
The relatively short average time of 19 days between IAB offers and ransomware blog posts highlights prompt operationalization of the illicitly obtained access. This emphasizes the urgency with which organizations need to detect and mitigate potential compromises once prominent access vendors gain initial access. It serves as a stark reminder that the window for defensive action often is very narrow. Moreover, it also is common for ransomware operators to access the network days or weeks before deploying ransomware. These instances suggest a near-concurrent, or slightly or heavily preceding, occurrence of ransomware attacks and data leaks relative to the initial access advertisement, which might indicate the existence of direct communication channels or established agreements between access vendors and particular ransomware affiliates. This also raises the possibility of an intelligence-gathering phase by the ransomware group before the access is even broadly offered, or they may consider the advertisement of access as a form of “proof of concept” after a successful attack has already begun.
The disruption of the XSS cybercrime forum and arrest of its administrator in Ukraine in July 2025 has shook Russian-speaking cybercriminal communities to their core and raised questions if the forum can recover.
In this Studio 471, Jacob Larsen discusses the effects of doxing, how sites like Doxbin take advantage of legal loopholes and how to defend against being doxed.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.