Akira’s Reign of Terror: Ransomware Gang Targets 250+ Organizations, Earns $42 Million
The Akira ransomware gang has emerged as a significant threat to businesses and critical infrastructure entities across North America, Europe, and Australia, according to a recent joint cybersecurity advisory issued by the United States Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL).
TLDR
- The Akira ransomware gang has attacked over 250 organizations since March 2023, earning approximately $42 million in ransoms.
- Akira initially targeted Windows systems but has recently deployed a Linux variant targeting VMware ESXi virtual machines, which are widely used by large businesses and organizations.
- The gang exploits known Cisco vulnerabilities and uses spearphishing campaigns to breach organizations, disabling security software to avoid detection while moving laterally within the network.
- Akira demands ransom payments in Bitcoin and threatens to publish exfiltrated data on the Tor network if the victim does not comply.
- The FBI, CISA, EC3, and NCSC-NL have released a joint cybersecurity advisory to raise awareness about the threat and provide mitigation techniques, such as implementing a recovery plan, MFA, filtering network traffic, and system-wide encryption.
Since its emergence in March 2023, the Akira ransomware gang has conducted a staggering 250 attacks, amassing approximately $42 million in ransom payments from its victims.
The gang’s rapid success and substantial earnings have led experts to believe that Akira is composed of experienced ransomware actors who have quickly adapted their tactics to maximize their impact and profits.
Initially focusing on Windows systems, Akira has recently expanded its operations by deploying a Linux variant that specifically targets VMware ESXi virtual machines.
This development is particularly concerning, as these virtual machines are widely used by large businesses and organizations, making them prime targets for the ransomware gang.
To breach their victims’ networks, Akira exploits known Cisco vulnerabilities, such as CVE-2020-3259 and CVE-2023-20269, targeting virtual private network (VPN) services that lack multifactor authentication (MFA).
The gang employs spearphishing campaigns and other tools to gain initial access to their targets’ systems. Once inside, Akira typically disables security software to avoid detection while moving laterally within the network, exfiltrating sensitive data using tools like FileZilla, WinRAR, and AnyDesk.
Unlike some other ransomware groups, Akira does not leave an initial ransom demand or payment instructions on compromised networks. Instead, the gang waits for the victim to contact them before relaying the ransom amount and payment details.
Akira demands that ransom payments be made in Bitcoin, with the threat actors providing cryptocurrency wallet addresses for the victims to use. To further pressure their victims, Akira threatens to publish exfiltrated data on the Tor network and, in some instances, has even resorted to calling the victimized companies directly.
The Akira ransomware gang has claimed responsibility for a series of high-profile attacks in 2024, including incidents involving
- Cloud hosting services provider Tietoevry
- Stanford Universit
- A major U.S. railroad company
- The government of Nassau Bay in Texas
- Bluefield University
- Astate-owned bank in South Africa,
- A Foreign exchange broker London Capital Group
- Yamaha’s Canadian music division.
In response to the growing threat posed by Akira, the FBI, CISA, EC3, and NCSC-NL have released a joint cybersecurity advisory to raise awareness about the ransomware gang and provide mitigation techniques for organizations to protect themselves.
The advisory recommends implementing a recovery plan, enabling MFA, filtering network traffic, disabling unused ports and hyperlinks, and employing system-wide encryption to reduce the risk of a successful Akira attack.
The advisory also urges organizations to continually test their security programs at scale in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in the report.
By following these best practices and remaining vigilant, businesses and critical infrastructure entities can better defend themselves against the evolving tactics of the Akira ransomware gang and other cybercriminal groups.
Comments are closed.