The Akira ransomware group has infiltrated the networks of more than 250 organizations, accruing around $42 million (USD) in ransomware earnings, as per a recent collaborative cybersecurity advisory released by The United States Federal Bureau of Investigation (FBI), The Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL).
FBI investigations have uncovered that Akira ransomware has been systematically targeting a variety of businesses and critical infrastructure entities throughout North America, Europe, and Australia since March 2023. Initially focusing on Windows systems, Akira has recently expanded its scope to include a Linux variant targeting VMware ESXi virtual machines, commonly utilized by numerous large businesses and organizations.
According to a joint cybersecurity advisory, “early iterations of the Akira ransomware were coded in C++ and encrypted files with a .akira extension. However, starting in August 2023, certain Akira attacks started using Megazord, a Rust-based code that encrypts files with a .powerranges extension. The Akira threat actors have since used both Megazord and Akira, including Akira_v2 (as identified by reputable third-party investigations), interchangeably.“
The FBI and cybersecurity experts have noted that Akira threat actors gain initial entry into organizations primarily through virtual private network (VPN) services lacking multifactor authentication (MFA), often exploiting well-known Cisco vulnerabilities like CVE-2020-3259 and CVE-2023-20269.
“Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim,” the agencies stated.
Other avenues of initial access include leveraging external-facing services like Remote Desktop Protocol (RDP), spear phishing assaults, and credential misuse. After initially infiltrating a system, Akira ransomware attackers target domain controllers to establish persistent access by creating new domain accounts.
They employ Kerberoasting methods and Mimikatz to extract credentials, utilize LaZagne for privilege escalation assistance, employ PowerTool to exploit the Zemana AntiMalware driver and halt antivirus processes, and leverage FileZilla, WinRAR, WinSCP, and RClone for data exfiltration.
“Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies,” according to FBI reporting.
The FBI, CISA, EC3, and NCSC-NL have offered a comprehensive set of cybersecurity measures for defenders to counter the Akira ransomware threat. These include:
- Implementing phishing-resistant multi-factor authentication (MFA) on all critical systems, with a focus on VPNs, webmail, and accounts.
- Establishing stringent access controls and network segmentation to limit ransomware propagation.
- Maintaining offline data backups and regularly testing backup and restoration procedures.
- Ensuring all operating systems, software, and firmware are promptly updated.
Curious about the Akira ransomware threat and how to safeguard against it? From infiltration tactics to cybersecurity measures, this article covers key insights from FBI investigations and expert advisories. Have questions or need further clarification? Feel free to ask—we’re here to help you stay informed and secure.
0 Comments