Cybercriminals who lack business skills sell their network access to expert fraudsters or ransomware operators who find data more profitable, affecting many organizations and industries in various geographical locations.

Public advertisements of compromised enterprise network access for sale in underground forums usually describe victims by location, sector or industry, market valuation or revenue, and file or data types, in which they are usually for auction.

Criminals transfer network access to buyers using persistence mechanisms with common features such as RDP credentials, VPN credentials, web shells, and elevated privileges.

This paper explains how sales of enterprise network access happen in underground forums or in the dark web.