The $2,700 Network That Could Cost You Millions

Cybercriminals are selling network access for $2,700 while demanding $450,000 ransom. Learn how the access broker economy threatens every organization.

Your organization's network access is being sold on dark web forums for less than the cost of a new laptop. Yet this seemingly trivial investment can lead to ransomware demands exceeding $450,000. This stark economic reality emerged from multiple conversations at Black Hat 2025, painting a troubling picture of how cybercrime has industrialized.

Raj Samani, Chief Scientist at Rapid7, has been tracking this transformation through his team's Access Brokers Report. "You remember 2015, we had the ransomware group Tesla, which was a consumer-driven attack, and the average ransom demand was two Bitcoins, which was about $400," Samani explained. "Now we've got this economy in which companies are being targeted at a rate and pace that is unprecedented. The average demand has increased from $400 to $450,000."

The research, covering six months of activity across major dark web forums, reveals that 71.4% of access broker sales offer more than just basic network entry—they include elevated privileges or multiple access routes. The average victim organization has $2.2 billion in annual revenue, yet access to its networks sells for under $3,000.

The SMB Target Shift

Robert Johnston, General Manager at N-able and a former Pentagon cyber operations specialist, witnessed a fundamental shift in who gets targeted. "It used to be dominated by countries, by intelligence services," Johnston explained. "Now the threat landscape has expanded, and the number of attackers has drastically increased. The game is now played by criminal organizations, activist organizations, curious college students—anybody and everybody."

SMBs are 60% more likely to experience a cyberattack than large enterprises, not because they're more attractive, but because they're easier targets. The mathematics favor smaller organizations: why spend months trying to breach a heavily fortified enterprise when you can hit hundreds of smaller targets with minimal effort?

The Managed Service Provider Multiplier

The most concerning trend involves how cybercriminals leverage managed service providers (MSPs) to amplify their attacks. "By breaking into that single target, you can gain access to 500 separate organizations," Johnston noted. "If you take over their remote monitoring management capability, their screen connect capability, it gives you instantaneous single pane of glass access to 500 organizations all at once."

This architecture creates perfect conditions for scaled attacks. MSPs use centralized tools to replicate activities across hundreds of client networks simultaneously. The same capabilities that allow efficient management also enable attackers who compromise an MSP to deploy ransomware across all client organizations instantly.

The Identity Crisis

The most popular attack vectors mirror what incident response teams observe in the field: VPN access (23.5%), Domain User accounts (19.9%), and RDP services (16.7%). These represent fundamental failures where security controls become attack vectors.

"Attackers don't hack in. They log in," explained Snehal Antani, CEO of Horizon3.ai, whose team has completed over 150,000 penetration tests. "Credentials are the everyday zero-day. Your credential attack surface is the most susceptible."

Antani's team once hacked a defense contractor in just 77 seconds and gained access to 3D CAD drawings for aircraft carriers within five minutes. "If we hack you in 77 seconds, you have 76 seconds to stop us," he noted.

The Compliance Illusion

Every defense industrial base company that Horizon3.ai compromised was compliant with some security framework—SOC 2, NIST, or others. They had conducted annual penetration tests and tabletop exercises. "Just because you're compliant doesn't mean you're secure," Antani emphasized. "Those one-and-done acts of assessing your security posture are not going to cut it in the current era."

Strategic Responses

Security leaders need to shift from reactive compliance to proactive verification. Samani advocates for "threat-informed remediation" using curated intelligence to cut through alert noise. "Of 40,000 CVEs disclosed last year, which one are you going to be worried about? What we should be concerned about is the stuff that's going to hurt me."

The organizations succeeding in this environment focus on:

• Real-time security assessment rather than point-in-time compliance

• Intelligence-driven prioritization over CVSS scores

• Understanding attack surfaces rather than accumulating security tools

• Continuous verification rather than annual assessments

The Bottom Line

The access broker economy reveals cybersecurity's fundamental challenge: technical barriers to cybercrime have collapsed, while economic incentives have exploded. Organizations must recognize that every business, regardless of size, is now a viable target for industrialized cybercrime.

As Samani concluded: "Organizations need to understand their attack surface, understand the vulnerabilities associated with their attack surface, and prioritize the remediation of said vulnerabilities in a real-time manner." The alternative—becoming another $2,700 listing on a dark web forum—is simply too costly to contemplate.