I wouldn't be surprised if devices typically become compromised via automation - the ones responsible may not have the expertise & manpower needed to develop & deploy viable ransomware payloads, negotiating ransoms, providing "tech support" to "customers" who choose to pay the ransom and need help decrypting, etc. So they'd rather resell the access for a flat fee and leave it to others to milk out the actual targets for potentially more money. The low but steady stream of money they get might also be easier to launder than ransoms worth hundreds of thousands.
I doubt this is limited to ransomware - I bet customers of a "network access broker" would involve conventional malware such as spam/DoS bots, ad fraud, etc as well.
I doubt this is limited to ransomware - I bet customers of a "network access broker" would involve conventional malware such as spam/DoS bots, ad fraud, etc as well.