If you’ve never heard the term “initial access broker,” you’re not alone — but that’s exactly the problem. An initial access broker is one of the most dangerous players in the modern ransomware supply chain, and most organizations don’t even know they exist until it’s too late.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/what-is-an-initial-access-broker.
Let me be straight with you: ransomware isn’t some lone hacker with a hoodie typing furiously in a dark room. It’s a business. A supply chain. And the initial access broker is the specialist at the front of that chain. They don’t deploy ransomware. They don’t demand money. They just break into your network — and sell that access to whoever’s willing to pay. Then somebody else does the dirty work.
I sat down with Dr. Mike Saylor of Black Swan Cybersecurity — who also happens to be my co-author on our upcoming ransomware book — to break this all down. And he brought a real case study from 2024 that should make every IT and security person squirm in their seat.
What an Initial Access Broker Actually Does
Here’s the simplest way I can explain it. Imagine someone whose entire job is driving through neighborhoods at night checking if any doors are unlocked or any windows are cracked. They’re not going inside to rob you. They’re just making a list of which houses are easy to get into — and then selling that list to people who will.
That’s an initial access broker. Their product is access. They identify vulnerable organizations, validate that the access is real, and sell it on dark web marketplaces to ransomware gangs and other criminal operators. The more valuable the target — think critical infrastructure, financial institutions, large enterprises — the higher the price.
And the initial access broker market is competitive enough that reputation actually matters. If you sell invalidated or already-burned credentials, buyers won’t come back. So IABs actually have an incentive to deliver quality product. Wrap your head around that for a second.
The Real Case Study: A Google Docs Folder Called “Passwords”
This is the story that Dr. Saylor shared on the episode, and I have not been able to stop thinking about it since. A company called us in after a breach. No failed logins, no suspicious login attempts from weird IP addresses — nothing that would tip off a traditional monitoring system. Clean as a whistle on the surface.
We eventually identified patient zero. We’ll call him Bob. Bob’s personal Gmail account had been compromised back in April — months before the actual attack hit in October or November. Bob knew his account was acting weird. His password kept getting changed back. His recovery email kept getting swapped out. He’d been fighting with Google about it for months. But he never reported it at work because, hey, it was his personal account, right?
Except here’s where it gets bad. Bob was storing his work email address and password in that Gmail account. In a Google Docs folder. Titled “passwords.”
So an initial access broker got in through some third-party app or phishing attack on Bob’s personal account, found that folder, validated the credentials, and sold access to Bob’s organization. Months later, a ransomware gang bought that access and used it. The attack had nothing to do with anything the company did wrong — it started with one employee’s personal hygiene habits.
What Initial Access Brokers Are Actually Selling
It’s not just username and password combos, though that’s the big one. Dr. Saylor walked us through the full menu. RDP — Remote Desktop Protocol — exposed directly to the internet is basically an engraved invitation. Vulnerabilities in VPN products like Cisco, Fortinet, and Citrix are prime targets. Web shells, where an attacker compromises the authentication layer of a web-based environment, are another common product. Even session cookie hijacking — sitting at a coffee shop with a rogue wireless access point — can produce sellable access.
And here’s the thing about credential reuse that just kills me every single time: people use the same password on a random mobile app that they use for their corporate email. That mobile app gets compromised in a massive breach — we’re talking 564 million records in one breach conducted by ShinyHunters in 2020, with 1.12 million of those records tied to corporate or government email addresses — and now the initial access broker has the keys to your network. For $10,000. For a bundle of 564 million records.
Would Getting Rid of IABs Stop Ransomware?
I asked Dr. Saylor this directly on the episode. His answer was a flat no — and it’s the right answer. If you eliminate the initial access broker, ransomware gangs don’t disappear. They just bring the capability in-house, the way they used to do it before the cybercriminal ecosystem matured. The IAB is a specialization that emerged because it’s more efficient to outsource the access-gaining piece. Take it away and the gangs adapt. The underlying problem is still there.
What You Can Actually Do About the Initial Access Broker Threat
Look, the takeaways here are not complicated, but they require discipline:
Stop reusing passwords. I don’t care how many times you’ve heard this. The initial access broker is counting on the fact that the password you used on some random website is the same one you use for your corporate email. Use a password manager. Different password everywhere. No exceptions for sensitive accounts.
Change credentials the moment you think they’re compromised — don’t wait. Bob waited months. Don’t be Bob.
Don’t store credentials in plain text anywhere. Not in a spreadsheet. Not in a draft email. Not in a Google Docs folder called “passwords.” Use a real password manager.
Patch your VPNs and remote access tools. The Rackspace story we covered a few years ago — entire hosted Exchange environment destroyed because they didn’t patch a known vulnerability in time — is a perfect example of what IABs are actively hunting.
Keep RDP off the public internet. Just don’t.
The initial access broker isn’t going away. This is a thriving criminal marketplace and it’s only getting more organized. Your job is to make your organization a harder target than the one next door.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data
