A team of researchers has revealed an uncanny resemblance between the modus operandi of two ransomware groups and an APT who have been using services of a common Initial Access Broker (IAB).

What was found?

The BlackBerry Research & Intelligence team revealed that Zebra2104 provides initial access to ransomware groups MountLocker and Phobos, as well as the StrongPity APT. 
  • The broker has helped criminals break into the networks of multiple firms in Australia and Turkey. 
  • The StrongPity APT had targeted Turkish businesses in the healthcare space as well as smaller companies using access from this broker.
  • The team of researchers first discovered an unusual single domain that was linked to multiple ransomware attacks and a C2 server connected to the APT group. 
  • Further analysis revealed that the domain was resolving at IPs provided by the same Bulgarian ASN (Neterra LTD), which was also a compromised network.

How do IABs operate?

Usually, an IAB gains access to a victim’s network via exploiting flaws, phishing emails, and in more ways.
  • After gaining the access credentials, they list their access in underground forums, advertising their wares to potential buyers.
  • The price for access ranges from around $25 to several thousand.
  • Many IAB prices are often based on the annual revenue that the victim organization produces. 
  • Additionally, IABs often create a bidding system that enables the highest-paying adversaries to deploy malware of their own desire. 


The research highlights how cybercriminals are evolving into a real-world enterprise business, where multiple disconnected ransomware groups and APTs are leveraging services of a common IAB. Moreover, experts suspect that such collaborations may become more common in the near future.
Cyware Publisher