Behind most 2026 ransomware intrusions is a transaction you never see: a ransomware affiliate buying ready-made access from an Initial Access Broker (IAB). Understanding this supply chain tells you where to spend your defensive budget.
What an IAB sells
IABs specialise in getting a foothold and reselling it. Typical listings on access markets: valid VPN or RDP credentials, web-shell access to an internet-facing server, or active sessions to a corporate SSO. Prices scale with revenue and sector — a foothold into a mid-size financial firm commands far more than a random SMB.
How they get in
- Infostealer logs. Malware like the Lumma/Redline lineage harvests browser-saved credentials and session cookies by the million; IABs mine these dumps for corporate access.
- Exposed services. RDP/VPN with no MFA, and unpatched public-facing apps (a 44% YoY rise in public-app exploitation in 2026).
- Phishing for credentials and MFA fatigue.
How to stop being the product
- Phishing-resistant MFA (FIDO2/passkeys) on every external entry point — VPN, RDP gateway, SSO, email.
- Kill standing RDP exposure; put remote access behind a ZTNA broker.
- Infostealer hygiene: block credential-saving in managed browsers, rotate on infection, and monitor stealer-log marketplaces for your domains.
- Patch public-facing apps fast — they are the cheapest access an IAB can sell.
RingSafe maps your external attack surface the way an IAB would, then helps you close it. Explore external VAPT.
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.