Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Akira Ransomware Made Over $42 Million in One Year: Agencies

Akira ransomware has hit over 250 organizations worldwide and received over $42 million in ransom payments.

Since early 2023, Akira ransomware has made over 250 victims worldwide and received more than $42 million in ransom payments, according to CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL).

Akira ransomware operators have been observed targeting organizations in various industries, including services and goods, manufacturing, education, construction, critical infrastructure, finance, healthcare, and legal sectors.

Initially targeting Windows systems only, Akira has been infecting VMware ESXi virtual machines too since April 2023, and has been deployed in conjunction with Megazord starting August 2023, CISA, the FBI, Europol, and NCSC-NL note in an advisory.

For initial access, Akira ransomware’s operators have been targeting VPN services that lacked multi-factor authentication, mainly using known vulnerabilities in Cisco products (such as CVE-2020-3259 and CVE-2023-20269).

Additionally, they were seen using remote desktop protocol (RDP), spear-phishing, and valid credentials to access victims’ environments.

Following initial access, the threat actors were observed creating new domain accounts for persistence (including an administrative account in some instances), extracting credentials, and performing network and domain controller discovery.

“Based on trusted third-party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity,” the advisory reads.

In preparation for lateral movement, the Akira operators were seen disabling security software to prevent detection.

Advertisement. Scroll to continue reading.

Furthermore, they have been observed using FileZilla, WinRAR, WinSCP, and RClone for data exfiltration, and AnyDesk, Cloudflare Tunnel, MobaXterm, Ngrok, and RustDesk to establish command-and-control (C&C) communication.

Like other ransomware groups, Akira exfiltrates victims’ data before encrypting it. Victims are instructed to contact the attackers via a Tor-based site and then told to pay a ransom in Bitcoin.

“To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies,” CISA, the FBI, Europol, and NCSC-NL note.

The advisory also includes indicators of compromise (IoCs) associated with Akira, as well as recommended mitigations for network defenders.

Related: Cisco ASA Zero-Day Exploited in Akira Ransomware Attacks

Related: Dozens of Organizations Targeted by Akira Ransomware

Related: Watch Now: Ransomware Resilience & Recovery Summit Sessions Now on Demand

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights