The sale of keys and credentials has been a topic of chatter on underground forums long preceding the advent of ransomware. However, ransomware operators such as the Sicarii group, looking for an easy route to a potential payday, often purchase their initial access vector rather than attempting to discover one themselves. In this article, Chad Kirkley reveals a novel method of communications observed in a recent S-RM case between two threat actors. We see camaraderie and plotting between them within the same victim network.
The growing influence of initial access brokers
As the threat landscape constantly changes, initial access brokers (IABs) have established themselves in a distinct niche within the Ransomware-as-a-Service (RaaS) space. These brokers specialize in selling access to compromised networks, enabling threat actors to conduct attacks with ease. A recent investigation by S-RM into ransomware activity highlighted the reliance on IABs and the risks faced by potential victims when access to their network goes to the highest bidders.
Targeted Attacks: Sicarii's approach to ransomware
The Sicarii ransomware group, which operates in Hebrew and primarily targets organizations in Arab countries, was the primary actor during this investigation. Their reliance on IABs indicates a strategic focus, potentially aimed at high-value targets or refining their encryption techniques. This contrasts with broad-sweep attackers such as Akira or Qilin, where Sicarii's approach indicates a targeted methodology.
IABs and multi-attack scenarios
While IABs provide ransomware groups with easy access to targeted networks, their strategy of offering access to multiple threat actors concurrently can lead to challenging situations for victims dealing with simultaneous attacks. During S-RM’s investigation, threat actors were observed using the compromised host to communicate with each other, indicating collaboration in their attacks.
The exchanges, which were originally captured as screenshots by the S-RM team but presented here as a table, reveal the degree of coordination and collaboration between the threat actors, as well as their dependence on IABs for access and their boldness in using the victim’s network to coordinate their attacks.
| 2026-01-05 00:14:15 6-01-05 00:14:15 |
C:\Users\****\Desktop\Alright I'll put it in this text file.txt
|
| 2026-01-05 00:15:04 | C:\Users\****\Desktop\I'd be more than .txt |
| 2026-01-05 00:15:04 | C:\Users\****\Desktop\I know right.txt |
| 2026-01-05 00:15:04 | C:\Users\****\Desktop\This is so funny.txt |
| 2026-01-05 00:15:04 | C:\Users\****\Desktop\United front maybe.txt |
| 2026-01-05 00:15:04 | C:\Users\****\Desktop\We will see.txt |
| 2026-01-05 00:15:04 | C:\Users\****\Desktop\Whoever gets paid first wins.txt |
| 2026-01-05 00:15:04 | C:\Users\****\Desktop\I hope you know that this isnt either of our fault.txt |
| 2026-01-05 00:17:19 | C:\Users\****\Desktop\Should we just put both of our notes down.txt |
| 2026-01-05 00:17:19 |
C:\Users\****\Desktop\**** that ruskie.txt |
| 2026-01-05 00:17:19 | C:\Users\****\Desktop\ok awaiting.txt |
| 2026-01-05 00:17:19 | C:\Users\****\Desktop\I only have Tox.txt |
| 2026-01-05 00:17:19 |
C:\Users\****\Desktop\Stupid initial access broker.txt
|
| 2026-01-05 00:17:19 | C:\Users\****\Desktop\both of us got gypped out of a good account.txt |
| 2026-01-05 00:17:19 | C:\Users\****\Desktop\We could just work together.txt |
| 2026-01-05 00:17:19 | C:\Users\****\Desktop\Wait is there two other crews or just the one.txt |
| 2026-01-05 00:17:19 | C:\Users\****\Desktop\tox works.txt |
| 2026-01-05 00:17:19 | C:\Users\****\Desktop\Actually just give me your tox since this is taking awhile.txt |
| 2026-01-05 00:17:19 |
C:\Users\****\Desktop\would you like to talk on session.txt
|
| 2026-01-05 00:17:29 |
C:\Users\****\Desktop\hello sorry this is another crew. membertxt
|
These files were not only created inside the victim environment, but also soft-deleted once the threat actors had achieved their objectives: in short, they were moved to the Recycle Bin. As forensic investigators everywhere will know, this attempt at hiding their tracks can be easily surmounted by access and review of the relevant artifacts – making it all too easy for us to see these messages sent back and forth.
The challenges of multi-actor ransomware attacks
IABs serve as enablers in the cybercrime sphere, amplifying the risks faced by organizations by offering network access to a multitude of malicious actors. This can lead to complex scenarios where victims face multiple simultaneous ransomware attacks, each demanding separate negotiations and ransom payments. Having to navigate one ransomware attack is challenging enough, but concurrent demands from multiple attackers significantly increases the difficulties faced by victims.
The investigation into the Sicarii ransomware group underscores the difficulties IABs introduce, compounding the challenges of incident response and increasing the operational strain on their victims.
