Globally the average cost for access to corporate systems is in the range from $2,000 to $4,000, and in the META region the average price for access to corporate infrastructure is $2,100.

This is relatively inexpensive compared to the possible damage to the targeted business. Such services are of prime interest to ransomware operators, whose profit may reach tens of millions of dollars a year.

The Dark web is a common term that is used to describe different resources used by cybercriminals – forums, instant messengers, Tor websites, blogs, Pastebin and similar websites, and others. The Dark web is also a multifunctional platform and market for any need – from attack preparation to money withdrawal.

Ways the attackers can get access to corporate data

The first way is by exploiting vulnerabilities on the network perimeter. These can be unpatched software with available exploits, vulnerabilities in web applications, misconfigured services or zero-day¹ vulnerabilities.

Another way is by phishing attacks. Most common attack scenarios include fake business correspondence from partners, fake links for online meetings or documents, and COVID-related emails.

Finally, access can be gained by infecting user devices (personal or corporate ones) with a data stealer. Data gets stolen while users continue to work on their device, then the stolen data is transferred to Command and Control servers, packed in files, which are then published on Dark web forums and put on sale. In South Africa, 1,270,617 accounts of users were stolen this way in 2021-2022. In Kenya, 375,011 accounts of users were stolen during the same period.

Selling access on the dark web

Once an attacker gains access to the organisation’s infrastructure, they can then sell this access to other advanced cybercriminals, for example, ransomware operators.

The price for accessing potential victims’ systems is relatively inexpensive when compared to the possible damage that can be done afterwards. The average cost for access to a company’s systems lies in the range from $2,000 to $4,000.

The cost of initial access depends on the victim company’s revenue and price. Globally 42% of all offers for the sale of access are cheaper than $1,000.

The majority (75%) of all lots offer initial access through Remote Desktop Protocol (RDP), making the access for buyers easy.

Other types include access through virtual network computing services, through web shell, through Citrix access or SQL injection.

While companies from the META region account for 8% of all offers globally on the sale of access to corporate infrastructure, their access is sold at a high price – the most expensive offer stood at $25 000. The average price for access to corporate infrastructure in the META region is $2,100.

The most expensive offers that were found were for companies from Saudi Arabia, the UAE, Israel (starting from $5,000).

Access to over 100 enterprises in META with an average revenue of $500 mln has been up for sale on the Darknet over the past 2 years.

Protecting businesses from dark web criminals

“While the Dark web seemed impossible to control in the past, now the situation is changing. Businesses can act to give fraudsters less opportunity to make dark web profits out of their data. Organisations should protect their data from being stolen with strong data security practices, including data encryption and educating employees on how to avoid accidentally giving cybercriminals access,” comments Yuliya Novikova, Head of Security Services Analysis at Kaspersky. “Dark web monitoring should be considered as a threat intelligence data source for cybersecurity staff – CTI analysts, SOC analysts, and others. It will allow to immediately react on security incidents such as offers on selling access to the company and help to prevent data breaches. Digital Footprint Intelligence introduced within the Kaspersky Threat Intelligence portal provides access to insights from a range of validated sources worldwide, allowing companies to mitigate the impact of cyberattacks and identify potential threats before they become incidents.”

A report released today by HP Inc.: The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back – an HP Wolf Security Report, has exposed an ironic “honour among thieves”.

The findings show cybercrime is being supercharged through “plug and play” malware kits that make it easier than ever to launch attacks. Cyber syndicates are collaborating with amateur attackers to target businesses, putting our online world at risk.

The HP Wolf Security threat team worked with Forensic Pathways, a leading group of global forensic professionals, on a three-month dark web investigation, scraping and analysing over 35 million cybercriminal marketplaces and forum posts to understand how cybercriminals operate, gain trust, and build reputation.

Key findings include:

1. Malware is cheap and readily available –

Over three quarters (76%) of malware advertisements listed, and 91% of exploits (i.e., code that gives attackers control over systems by taking advantage of software bugs), retail for under ₦4,923.17.

The average cost of compromised Remote Desktop Protocol credentials is just ₦2,092.35. Vendors are selling products in bundles, with plug-and-play malware kits, malware-as-a-service, tutorials, and mentoring services reducing the need for technical skills and experience to conduct complex, targeted attacks – in fact, just 2-3% of threat actors today are advanced coders.

2. The irony of ‘honor amongst cyber-thieves’ –

Much like the legitimate online retail world, trust and reputation are ironically essential parts of cybercriminal commerce: 77% of cybercriminal marketplaces analysed require a vendor bond – a license to sell – which can cost up to ₦1,230,793.

Eighty-five per cent of these use escrow payments, and 92% have a third-party dispute resolution service. Every marketplace provides vendor feedback scores. Cybercriminals also try to stay a step ahead of law enforcement by transferring reputation between websites – as the average lifespan of a dark net Tor website is only 55 days.

3. Popular software is giving cybercriminals a foot in the door –

Cybercriminals are focusing on finding gaps in software that will allow them to get a foothold and take control of systems by targeting known bugs and vulnerabilities in popular software.

Examples include the Windows operating system, Microsoft Office, web content management systems, and web and mail servers.

Kits that exploit vulnerabilities in niche systems command the highest prices (typically ranging from ₦393,853.76 – ₦1,723,110.20). Zero Days (vulnerabilities that are not yet publicly known) are retailing at tens of thousands of dollars on dark web markets.

“Unfortunately, it’s never been easier to be a cybercriminal. Complex attacks previously required serious skills, knowledge and resource. Now the technology and training is available for the price of 3 litres of fuel. And whether it’s having your company and customer data exposed, deliveries delayed or even a hospital appointment cancelled, the explosion in cybercrime affects us all,” comments report author Alex Holland, Senior Malware Analyst at HP Inc.

“At the heart of this is ransomware, which has created a new cybercriminal ecosystem rewarding smaller players with a slice of the profits. This is creating a cybercrime factory line, churning out attacks that can be very hard to defend against and putting the businesses we all rely on in the crosshairs,” Holland adds.

HP consulted with a panel of experts from cybersecurity and academia – including ex-black hat hacker Michael ‘Mafia Boy’ Calce and authored criminologist, Dr. Mike McGuire – to understand how cybercrime has evolved and what businesses can do to better protect themselves against the threats of today and tomorrow. They warned that businesses should prepare for destructive data denial attacks, increasingly targeted cyber campaigns, and cybercriminals using emerging technologies like artificial intelligence to challenge organisations’ data integrity.

To protect against current and future threats, the report offers up the following advice for businesses:

Master the basics to reduce cybercriminals’ chances: Follow best practices, such as multi-factor authentication and patch management; reduce your attack surface from top attack vectors like email, web browsing and file downloads; and prioritise self-healing hardware to boost resilience.

Focus on winning the game: plan for the worst; limit risk posed by your people and partners by putting processes in place to vet supplier security and educate workforces on social engineering; and be process-oriented and rehearse responses to attacks so you can identify problems, make improvements and be better prepared.

Cybercrime is a team sport. Cybersecurity must be too: talk to your peers to share threat information and intelligence in real-time; use threat intelligence and be proactive in horizon scanning by monitoring open discussions on underground forums; and work with third-party security services to uncover weak spots and critical risks that need addressing.

“We all need to do more to fight the growing cybercrime machine,” says Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc. “For individuals, this means becoming cyber aware. Most attacks start with a click of a mouse, so thinking before you click is always important. But giving yourself a safety net by buying technology that can mitigate and recover from the impact of bad clicks is even better.”

“For businesses, it’s important to build resiliency and shut off as many common attack routes as possible,” Pratt continues. “For example, cybercriminals study patches on release to reverse engineer the vulnerability being patched and can rapidly create exploits to use before organisations have patched. So, speeding up patch management is important. Many of the most common categories of threat such as those delivered via email and the web can be fully neutralised through techniques such as threat containment and isolation, greatly reducing an organisation’s attack surface regardless of whether the vulnerabilities are patched or not.”