Recently, an increased number of attacks from Akira ransomware has been observed in several organizations around the globe.
Since the beginning of 2023, Akira ransomware has affected more than 250 targets globally and garnered over $42 million in ransom payments, as reported by CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL).
Description:
As mentioned in Obrela’s advisory https://www.obrela.com/advisory/prominent-ransomware-in-2024/ at the beginning of the year, Akira is a novel ransomware variant which emerged onto the scene in March 2023, swiftly garnering attention for its distinctive characteristics and strategies.
It is suspected to be linked to the now-defunct Conti ransomware group due to shared code elements such as string obfuscation and file encryption techniques. Akira primarily focuses on businesses in the United States and Canada, particularly in sectors like materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare. Even though it’s primary focus is USA and Canada, Akira has also targeted businesses and critical infrastructure entities across North America, Europe, and Australia. Consequently, it is highly possible it will also target businesses on the rest continents as well.
Akira initially breaches the target systems by gaining unauthorized access to the target organization’s VPNs. Specifically, they exploit Cisco vulnerabilities within VPN services that haven’t setup multifactor authentication (MFA). In addition, initial access may be achieved through spear phishing, RDP or by using leaked credentials.
Employing double extortion methods, Akira steals sensitive data from victims before encrypting specific systems and files, thus demanding payment for both scenarios. Moreover, it employs Ransomware-as-a-Service (RaaS), making it accessible to numerous threat actors.
In early versions of Akira, encrypted files are identifiable by the “.akira” extension appended to their names. From August 2023, certain Akira attacks started employing Megazord, which encrypts files with a .powerranges extension. Both extensions are actively used.
Additionally, the ransomware engages in credential dumping, targeting the LSASS process to obtain user accounts and password hashes. After breaching systems it achieves lateral movement by acquiring permissions.
Akira publicly posts information about their victims in a leak site they maintain.
Recommendations:
To prevent Akira and other ransomware attacks, it is recommended to take the following measures:
- Back up your data regularly and store it offline or separately, to restore them without paying the ransom if you get infected.
- Update your software and systems to the latest versions and apply security patches as soon as they are available to prevent ransomware from exploiting known vulnerabilities.
- Setup multifactor authentication (MFA) in VPN services.
- Use endpoint security solutions such as antivirus and endpoint detection and response (EDR) software to detect and block ransomware before it encrypts your data.
- Limit user privileges and access to the minimum necessary for their roles. This can reduce the risk of ransomware spreading to other devices or systems through compromised accounts.
- Use secure passwords to avoid credential leakage.
References:
- https://www.hhs.gov/sites/default/files/akira-randsomware-analyst-note-feb2024.pdf
- https://www.cybertalk.org/2024/02/02/proactive-ciso-strategies-for-akira-ransomware-prevention-defense/
- https://www.obrela.com/advisory/prominent-ransomware-in-2024/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a