The First Step: Initial Access Leads to Ransomware

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Key Findings

  • Preventing ransomware today largely has shifted from a direct email threat to an indirect threat where email is only part of the attack chain.
  • Ransomware threat actors leverage cybercriminal enterprises – largely banking trojan distributors – for malware deployment. These access facilitators distribute their backdoors via malicious links and attachments sent via email.
  • Banking trojans were the most popular malware distributed via email, representing almost 20% of malware seen in Proofpoint data the first half of 2021.
  • Proofpoint currently tracks at least 10 threat actors acting as initial access facilitators or likely ransomware affiliates.
  • Ransomware is rarely distributed directly via email. Just one ransomware strain accounts for 95% of ransomware as a first-stage email payload between 2020 and 2021.
  • There is not a 1:1 relationship between malware loaders and ransomware attacks. Multiple threat actors use the same malware payloads for ransomware distribution.


Ransomware attacks still use email — but not in the way you might think. Ransomware operators often buy access from independent cybercriminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains. Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network. The result is a robust and lucrative criminal ecosystem in which different individuals and organizations increasingly specialize to the tune of greater profits for all-except, of course, the victims.

Preventing ransomware via email is straightforward: block the loader, and you block the ransomware.

Typically, initial access brokers are understood to be opportunistic threat actors supplying affiliates and other cybercrime threat actors after the fact, for example by advertising access for sale on forums. But for the purposes of this report, we consider initial access brokers to be the groups who…