Since early 2023, Akira ransomware has made over 250 victims worldwide and received more than $42 million in ransom payments, according to CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL).
Akira ransomware operators have been observed targeting organizations in various industries, including services and goods, manufacturing, education, construction, critical infrastructure, finance, healthcare, and legal sectors.
Initially targeting Windows systems only, Akira has been infecting VMware ESXi virtual machines too since April 2023, and has been deployed in conjunction with Megazord starting August 2023, CISA, the FBI, Europol, and NCSC-NL note in an advisory.
For initial access, Akira ransomware’s operators have been targeting VPN services that lacked multi-factor authentication, mainly using known vulnerabilities in Cisco products (such as CVE-2020-3259 and CVE-2023-20269).
Additionally, they were seen using remote desktop protocol (RDP), spear-phishing, and valid credentials to access victims’ environments.
Following initial access, the threat actors were observed creating new domain accounts for persistence (including an administrative account in some instances), extracting credentials, and performing network and domain controller discovery.
“Based on trusted third-party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity,” the advisory reads.
In preparation for lateral movement, the Akira operators were seen disabling security software to prevent detection.
Furthermore, they have been observed using FileZilla, WinRAR, WinSCP, and RClone for data exfiltration, and AnyDesk, Cloudflare Tunnel, MobaXterm, Ngrok, and RustDesk to establish command-and-control (C&C) communication.
Like other ransomware groups, Akira exfiltrates victims’ data before encrypting it. Victims are instructed to contact the attackers via a Tor-based site and then told to pay a ransom in Bitcoin.
“To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies,” CISA, the FBI, Europol, and NCSC-NL note.
The advisory also includes indicators of compromise (IoCs) associated with Akira, as well as recommended mitigations for network defenders.
Related: Cisco ASA Zero-Day Exploited in Akira Ransomware Attacks
Related: Dozens of Organizations Targeted by Akira Ransomware
Related: Watch Now: Ransomware Resilience & Recovery Summit Sessions Now on Demand
