In a blog post, the company said criminals in underground forums would advertise that they had access to various companies. The credentials on offer would then be sold to the highest bidder or a deal would be struck with a ransomware affiliate to share in any profits from a successful attack.
"These partnerships have resulted in a flourishing sub-market, where access to corporate networks is sold for six-figure sums directly or via a partnership and cut of paid ransoms," the post said.
Compromised credentials were claimed to come from people exploiting common flaws that had not been patched, either in operating systems like Windows, or else in other common software like VPNs or RDP endpoints.
"Instances show that anywhere from one week to six months after access is obtained and advertised, other known actors on various underground forums look to use or purchase that access to launch ransomware attacks.
"The targets run the gamut of regions and economic sectors, with the pattern playing out in ransomware attacks on every continent."
The company said one of most well-known attacks to fit this pattern was an attack on Mexican state-run oil company Pemex in November 2019. In this case, the attackers used the Windows DoppelPaymer ransomware and demanded a ransom of US$4.5 million (A$6.1 million).
The company said it had discovered that, beginning in June 2019, a separate actor was advertising access to 1500 Pemex servers and personal computers, as well as administrator privileges to the company’s domains, for US$150,000.
"That transaction was facilitated through a third-party escrow service, which allows criminals to move money in order to shield themselves from making direct contact with the actors who are carrying out the crimes," Intel 471 claimed.
Citing another case, the company said another actor it had been tracking had begun making inquiries about access to ransomware-as-a-service operators, saying that the use of ransomware would yield much better returns than just selling access.
"Days after this, Intel 471 learned the actor obtained and modified a version of Thanos, and allegedly deployed it against US businesses," the company said, without specifying when this alleged incident had taken place.
"Over the last three months, this actor has frequently tried to sell access to compromised organisations, which range in location, size, and economic sector."
One more aspect of this method was that such tie-ups were not exclusive. "Data from Intel 471 shows this pattern following attacks carried out with popular ransomware variants, such as DoppelPaymer, Maze, NetWalker, Ryuk and REvil, as well as lesser-known variants like LockBit, Nefilim, Pysa and Thanos," the company said.
It claimed the sharp rise in ransom payments had helped those who were selling access no end. "In years past, a large ransom payout would earn attackers somewhere between five- and six-figure sums. Now, it’s becoming increasingly common for attackers to demand seven- and eight-figure ransoms, partly due to the need to pay off actors that have helped them obtain access to the victim’s system.
"One such attack drives home this point: Intel 471 obtained a chat log from a ransomware attack launched last month [November] where a company — a US-based healthcare provider — offered to pay a ransom of just under US$400,000.
"Despite the company’s quick response, the ransomware crew was insulted by the offer and threatened to dump the entire cache of stolen documents unless the figure was pushed several million dollars higher. With their backs against the wall, the company eventually settled to pay $2 million in bitcoin."
Whether this pattern would continue indefinitely was not predictable, Intel 471 said. "...[we have] observed actions in underground marketplaces that show RaaS groups are beginning to undercut access merchants, by either purchasing their own credential-stealing malware or recruiting teams that specialise in obtaining access. Use of access merchants may not disappear completely, but the extent of their popularity could diminish."