In less than a year of operations, the Akira Ransomware gang, known for multi-extortion tactics, has claimed approximately $42 million in ransomware proceeds from more than 250 affected organizations, according to the Federal Bureau of Investigation (FBI) and other authorities.
Those numbers come as of January 1st, 2024, while the group itself was first spotted only in March of last year. Akira has quickly established itself as one of the most productive cybercrime rings.
In response, Cyber agencies, including the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre, and others, have released a joint cybersecurity advisory for network defenders to better protect against Akira’s attacks.
The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured. The black hats mostly used known Cisco vulnerabilities, but they also gained initial access by exploiting Remote Desktop Protocol, spear phishing, and the abuse of valid credentials.
“Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines,” states the document.
Agencies explain that early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension. However, since August 2023, Akira shifted to deploying Windowts-specific “Megazord” ransomware using Rust-based code. It encrypts files with a .powerranges extension. The probable reason for the change may be a decryptor that has been released by Avast.
“As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver and terminate antivirus-related processes,” the advisory reads.
Among the largest Akira victims were Japanese auto giant Nissan – which notified 100,000 individuals about a cyber breach – Stanford University, which allegedly lost 430GB of internal data, and Nassau Bay, a city in Texas.
The group is consistent in demanding ransom payments ranging from $200,000 to $4 million and publishing data online if payment is not fulfilled.
Authorities “encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.”
Those start with “implement a recovery plan” for maintaining and retaining multiple copies of data, followed by using strong passwords, multifactor authentication, keeping software and firmware updated, network segmentation, network traffic filtering, and others.
Your email address will not be published. Required fields are markedmarked