A joint advisory from Europol [2] [4], US government agencies [4], and Dutch government agencies has been issued to address the evolving tactics of the Akira ransomware group.
Description
The group has targeted over 250 organizations in North America, Europe [1] [2] [3] [4] [5], and Australia [1] [2] [3] [4] [5], generating approximately $42 million in ransom proceeds from March 2023 to January 2024. Akira threat actors have advanced their techniques to focus on VMware ESXi virtual machines using Rust-based and C++ code, as well as targeting Cisco VPNs. They have utilized various methods to gain initial access [1], including exploiting known vulnerabilities and abusing valid credentials [1]. Once inside [1], they utilized domain controllers for persistence and employed post-exploitation techniques like credential scraping and device discovery [1]. Akira also deployed two ransomware variants on different system architectures [1], utilizing a sophisticated hybrid encryption scheme [1]. Businesses and critical infrastructure have been impacted, prompting a call for organizations to implement mitigations to defend against Akira ransomware incidents. Mitigations recommended by CISA include implementing a recovery plan [1], requiring multifactor authentication [1], staying up to date on patches [1], and segmenting networks [1]. The FBI [5], CISA [1] [2] [3] [5], EC3 [5], and NCSC-NL have revealed technical details about the attacks [5], including the use of a Linux variant targeting VMware ESXi virtual machines [5]. The ransomware group has deployed both Akira and Megazord variants interchangeably [5], with payments exceeding $1 billion in cryptocurrency [5]. International enforcement agencies have taken down the website of major crypto ransomware operator LockBit [5], signaling a coordinated effort to combat ransomware attacks [5].
Conclusion
The impacts of the Akira ransomware group have been significant, with businesses and critical infrastructure affected [1] [3]. It is crucial for organizations to implement the recommended mitigations to defend against such incidents. The takedown of the LockBit website by international enforcement agencies indicates a coordinated effort to combat ransomware attacks, highlighting the need for continued vigilance and collaboration in the fight against cyber threats.
References
[1] https://www.techtarget.com/searchsecurity/news/366581522/CISA-Akira-ransomware-extorted-42M-from-250-plus-victims
[2] https://www.scmagazine.com/news/akira-takes-in-42-million-in-ransom-payments-now-targets-linux-servers
[3] https://www.cisa.gov/news-events/alerts/2024/04/18/cisa-and-partners-release-advisory-akira-ransomware
[4] https://www.infosecurity-magazine.com/news/akira-ransomware-42-million/
[5] https://cryptonews.com/news/fbi-europol-say-akira-ransomware-has-drained-42m-from-250-firms.htm
