KELA Examines Instances of Credentials-Selling for Malicious Purposes

KELA issued a new report, covering July 2021, in which it observed 48 active threats seeking various accesses. The technique includes the creation of multiple threads with offers to purchase credentials to deploy malware, carry out other malicious activities, plant ransomware and steal data.

Of note, KELA observed:

  • 46 percent of listings created in July alone, illustrating the demand for access listings.
  • 40 percent identified as “active participants in the ransomware-as-a-service supply chain, whether as an operator, affiliate or middleman.
  • Actors largely focusing on buying access to U.S. companies with over $100 million in revenue.
  • 47 percent refusing to purchase organizations from the healthcare or education sector, , with 37 percent refusing to target the government sector and 26 percent turning down access to nonprofits.
  • RDP and VPN network accesses the most common request.
  • Most-common products for enabling network access coming from Citrix, Palo Alto Networks, VMware, Fortinet and Cisco Systems
  • Ransomware attackers ready to pay up to $100,000 for access, with most topping out at around $56,200.

While most requests sought U.S. companies (47 percent), other countries such as Canada (37 percent), Australia (37 percent) and European nations (31 percent) followed close behind, with “most” advertisements including a call for multiple countries.

Additional information and insight on “The Ideal Ransomware Victim: What Attackers Are Looking For” is available via