Ransomware

Akira Ransomware Group Drains $42 Million From 250+ Firms

Akira's tactics have recently expanded to include Linux variants, intensifying concerns among global cybersecurity agencies.

by Ashish Khaitan April 19, 2024 in Dark Web News, Firewall Daily, Ransomware News Reading Time: 3 mins read 0

586 SHARES 3.3k VIEWS Share on LinkedInShare on Twitter

The has been identified as the culprit behind a series of cyberattacks targeting businesses and critical infrastructure entities across North America, Europe, and Australia.

According to the latest advisory by the U.S. Federal Bureau of Investigation (), since March 2023, the Akira ransomware group has successfully breached over 250 organizations, amassing a staggering $42 million in ransomware payments.

Initially focusing on Windows systems, Akira's tactics have recently expanded to include Linux variants, intensifying concerns among global cybersecurity agencies.

The FBI, in collaboration with key players such as the Cybersecurity and Infrastructure Security Agency (CISA), Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL), has issued a joint to raise awareness and disseminate crucial threat information.

The Hidden Modus Operandi of the Akira Ransomware Group

The FBI revealed the group that involves a multi-faceted approach to infiltrate and compromise targeted organizations. Leveraging systems, particularly CVE-2020-3259 and CVE-2023-20269, Akira actors exploit weaknesses in virtual private networks (VPNs) lacking multifactor authentication (MFA), alongside other entry points such as Remote Desktop Protocol (RDP) and spear phishing.

Once inside the network, Akira operatives establish persistence by creating new domain accounts and employing post-exploitation techniques like credential scraping and credential scraping tools like Mimikatz and LaZagne.

This enables them to escalate privileges and navigate the network undetected, utilizing reconnaissance tools like SoftPerfect and Advanced IP Scanner to map out the infrastructure.

Moreover, the threat actor has evolved over the years and has been using multiple ransomware variants “against different system architectures within the same compromise event”. This strategy differs from what was previously reported in the Akira affiliate partners and their hacking processes. 

“Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”)”, says the FBI.

Defense Evasion, Encryption and Mitigation

Apart from upgrades in its offensive side, the Akira ransomware group has next-gen stealth to evade detection. The group, according to the FBI, has been deploying a variety of tactics, including disabling security software and deploying multiple ransomware variants simultaneously. 

The ransomware encryption process is sophisticated, employing a hybrid encryption scheme combining ChaCha20 stream cipher with RSA public-key cryptosystem, tailored to file types and sizes. Encrypted files are marked with either a .akira or .powerranges extension, with the ransom note strategically placed in directories.

In response to the threat posed by Akira ransomware, cybersecurity authorities like CISA advocate for proactive measures to mitigate risks and enhance organizational resilience. Recommendations include implementing multifactor authentication, maintaining up-to-date software patches, segmenting networks, and employing robust endpoint detection and response (EDR) tools.

Furthermore, organizations are advised to conduct regular audits of user accounts, disable unused ports, and enforce the principle of least privilege to limit unauthorized access. Backup strategies should include offline, encrypted backups covering the entire data infrastructure, ensuring rapid recovery in the event of a ransomware attack.

Source

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button