The Akira ransomware gang has emerged as a formidable and relentless cybercriminal force, leaving a trail of devastation in its wake. A joint advisory from the FBI, CISA, Europol, and the Netherlands’ National Cyber Security Centre claims that this malicious group has successfully targeted more than 250 organizations across North America, Europe, and Australia over the past year alone.
The advisory sheds light on the staggering financial impact of Akira’s activities, with the group amassing a staggering $42 million in ransomware payments from its victims since March of 2023.
Masters of Adaptability
What sets Akira apart is its adaptability and the relentless evolution of its tactics. Initially targeting Windows systems, the group quickly expanded its arsenal by deploying a Linux variant specifically designed to infiltrate VMware ESXi virtual machines – a platform widely used by numerous large enterprises and organizations.
In a disturbing development, Akira has demonstrated the ability to simultaneously unleash multiple ransomware variants against different system architectures within a single attack. This tactical shift marks a concerning escalation of the group’s capabilities, making it an even more formidable adversary.
Akira’s ransomware actors have proven adept at exploiting known vulnerabilities, particularly in Cisco VPN services that lack proper multifactor authentication (MFA) protection. The group has leveraged known flaws such as CVE-2020-3259 and CVE-2023-20269 to gain initial access to target networks.
A Jack of All Trades
However, Akira’s arsenal extends beyond technical vulnerabilities. The group also employs social engineering tactics, including spearphishing campaigns and the abuse of valid credentials, to breach organizations and establish a foothold within their systems.
Once inside a target network, Akira’s operators swiftly disable security measures to evade detection while systematically expanding their presence. They create new domain accounts to establish persistence, leverage techniques like “Kerberoasting” for credential extraction, and employ tools such as Mimikatz and LaZagne for privilege escalation.
Reconnaissance efforts are conducted using tools like Advanced IP Scanner and SoftPerfect, allowing the group to map out the compromised environment and identify high-value assets for potential data exfiltration or encryption.
Encryption and Exfiltration
Akira’s encryption capabilities have become particularly concerning to many as the group employs a “sophisticated hybrid encryption scheme” that tailors encryption methods based on file type and size, enabling both full and partial encryption of targeted data.
Furthermore, the group has demonstrated a willingness to exfiltrate sensitive data from compromised systems, using tools like FileZilla and WinRAR. This tactic heightens the pressure on victims, as the threat of data exposure adds to the urgency of paying the ransom demand.
The Wrap
In the face of Akira’s relentless onslaught, the advisory from law enforcement and cybersecurity agencies provides a roadmap for organizations to enhance their defenses. Key recommendations include implementing detailed recovery plans, enforcing multifactor authentication, staying up-to-date with security patches, and segmenting networks to limit the potential impact of a breach.
By fostering a culture of cybersecurity awareness, implementing stringent security measures, and staying informed about emerging threats, organizations can fortify their defenses against Akira and other ransomware menace.
