The Akira ransomware group has breached the networks of over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds, according to a recent joint cybersecurity advisory issued by the United States Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL).
According to FBI investigations, Akira ransomware has targeted a wide range of businesses and critical infrastructure entities across North America, Europe, and Australia since March 2023.
While the ransomware initially targeted Windows systems, the FBI recently found Akira’s Linux variant targeting VMware ESXi virtual machines that are used widely across many large businesses and organizations.
? #StopRansomare: Review our ? #cybersecurity advisory, outlining known #AkiraRansomware #TTPs & #IOCs, developed with @FBI, @EC3Europol, & @NCSC_NL to reduce the exploitation of businesses and critical infrastructure. https://t.co/2VBMKhoAXK pic.twitter.com/Nn0fEK4HRw
— CISA Cyber (@CISACyber) April 18, 2024
“Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension. Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably,” the joint cybersecurity advisory reads.
The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured, mostly using known Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269.
Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP), spear phishing attacks, and credential abuse.
Once initial access is obtained, Akira threat actors attempt to exploit the functions of domain controllers by creating new domain accounts to establish persistence.
The group uses Kerberoasting techniques and Mimikatz to extract credentials, LaZagne to help aid in privilege escalation, PowerTool to exploit the Zemana AntiMalware driver and terminate antivirus-related processes, and FileZilla, WinRAR, WinSCP, and RClone for data exfiltration.
“Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim,” the agencies said.
“Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting.”
The FBI, CISA, EC3, and NCSC-NL have provided a range of robust cybersecurity practices for defenders to combat the threat of Akira ransomware, including:
Enabling phishing-resistant multi-factor authentication (MFA) across all critical systems, particularly VPNs, webmail, and accounts; implementing strict access controls and segmenting networks to restrict the spread of ransomware; maintaining offline data backups; regularly maintaining backup and restoration and ensuring that all operating systems, software, and firmware are kept up to date.
