{
	"id": "ada59304-e3ca-4233-a950-ed8f8338a381",
	"created_at": "2026-04-06T00:11:41.817682Z",
	"updated_at": "2026-04-10T13:12:08.031613Z",
	"deleted_at": null,
	"sha1_hash": "a4094a06cec1cbbd9105dde7bd7ca0d6e85e48c7",
	"title": "Steal, then strike: Access merchants are first clues to future ransomware attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43650,
	"plain_text": "Steal, then strike: Access merchants are first clues to future\r\nransomware attacks\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 13:57:37 UTC\r\nCybercrime does not happen in a vacuum.\r\nWhile ransomware variants like REvil, Ryuk and DoppelPaymer have become household names for cybersecurity\r\nprofessionals, those deploying ransomware only represent part of the process by which criminals are forcing\r\norganizations to either pay them millions or watch their business go under.\r\nThe broader picture shows an underground marketplace that is increasingly becoming more organized, borrowing\r\nbest practices from legitimate businesses that understand the importance of resiliency, efficiency and return on\r\ninvestment. A key cog in this growing operation is the interdependency between those who specialize in selling\r\naccess to compromised systems or stolen information, and those looking to launch ransomware attacks.\r\nData gathered by Intel 471 points to a pattern in numerous ransomware attacks that have occurred in the past 18\r\nmonths: Criminals in underground forums will advertise access to various breached organizations, and quickly\r\nturn to sell access to the highest bidder or strike a deal with an ransomware affiliate in order to share in any profits\r\npulled from a successful payment. These partnerships have resulted in a flourishing submarket, where access to\r\ncorporate networks is sold for six-figure sums directly or via a partnership and cut of paid ransoms.\r\nThe compromised credentials are mostly obtained through attackers abusing flaws or security shortcomings in\r\nvirtual private networks or remote desktop protocol endpoints, which provides the initial entry point into\r\nenterprise networks. Additionally, credential information can come from logs tied to infostealer malware,\r\npassword spraying or other credential marketplaces in the criminal underground.\r\nInstances show that anywhere from one week to six months after access is obtained and advertised, other known\r\nactors on various underground forums look to use or purchase that access to launch ransomware attacks. The\r\ntargets run the gamut of regions and economic sectors, with the pattern playing out in ransomware attacks on\r\nevery continent.\r\nOne of the highest-profile ransomware attacks to fit this pattern was the attack on Pemex, the state-run oil\r\ncompany based in Mexico. In November 2019, attackers hit Pemex with DoppelPaymer, demanding $4.5 million\r\nin bitcoin to decrypt and return the files. Intelligence from Intel 471 found that beginning in June 2019, a separate\r\nactor was advertising access to 1,500 Pemex servers and personal computers, as well as administrator privileges to\r\nthe company’s domains, for $150,000. That transaction was facilitated through a third-party escrow service, which\r\nallows criminals to move money in order to shield themselves from making direct contact with the actors who are\r\ncarrying out the crimes.\r\nhttps://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/\r\nPage 1 of 2\n\nAnother actor Intel 471 had been tracking started asking for access to ransomware-as-a-service affiliate programs,\r\nstating that deployment of ransomware on compromised networks should potentially return much more money\r\nthan just selling the access. Days after this, Intel471 learned the actor obtained and modified a version of Thanos,\r\nand allegedly deployed it against U.S. businesses. Over the past three months, this actor has frequently tried to sell\r\naccess to compromised organizations, which range in location, size, and economic sector.\r\nAccess merchant partnerships are not exclusive to any one particular ransomware variant or ransomware-as-a-service. Data from Intel 471 shows this pattern following attacks carried out with popular ransomware variants,\r\nsuch as DoppelPaymer, Maze, Netwalker, Ryuk and REvil, as well as lesser-known variants like LockBit, Nefilim,\r\nPysa and Thanos.\r\nThe astronomical growth in ransom payments in 2020 has helped access merchants put a premium on their\r\nservices. In years past, a large ransom payout would earn attackers somewhere between five- and six-figure sums.\r\nNow, it’s becoming increasingly common for attackers to demand seven- and eight-figure ransoms, partly due to\r\nthe need to pay off actors that have helped them obtain access to the victim’s system.\r\nOne such attack drives home this point: Intel 471 obtained a chat log from a ransomware attack launched last\r\nmonth where a company — a U.S.-based healthcare provider — offered to pay a ransom of just under $400,000.\r\nDespite the company’s quick response, the ransomware crew was insulted by the offer and threatened to dump the\r\nentire cache of stolen documents unless the figure was pushed several million dollars higher. With their backs\r\nagainst the wall, the company eventually settled to pay $2 million in bitcoin.\r\nHow long ransomware crews decide to stay with this partnership model will be something to watch in the coming\r\nyear. Intel 471 has observed actions in underground marketplaces that show RaaS groups are beginning to\r\nundercut access merchants, by either purchasing their own credential-stealing malware or recruiting teams that\r\nspecialize in obtaining access. Use of access merchants may not disappear completely, but the extent of their\r\npopularity could diminish.\r\nTo prevent being a victim, enterprises need to have continuous and proactive observation of the cybercriminal\r\nunderground marketplace where these interdependent products, services and goods intersect. Additionally,\r\nensuring token-based multi-factor authentication is enabled across an enterprise and scrutinizing all internet-facing\r\nremote network connections like RDP can be vital in preventing ransomware attacks.\r\nThis article was part of a series on ransomware attacks in 2020. You can find the previous entries here: Part 1 and\r\nPart 2.\r\nSource: https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/\r\nhttps://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/"
	],
	"report_names": [
		"ransomware-attack-access-merchants-infostealer-escrow-service"
	],
	"threat_actors": [],
	"ts_created_at": 1775434301,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a4094a06cec1cbbd9105dde7bd7ca0d6e85e48c7.pdf",
		"text": "https://archive.orkl.eu/a4094a06cec1cbbd9105dde7bd7ca0d6e85e48c7.txt",
		"img": "https://archive.orkl.eu/a4094a06cec1cbbd9105dde7bd7ca0d6e85e48c7.jpg"
	}
}