The Akira ransomware gang has compromised at least 63 organizations since March 2023, mostly focusing on small- to medium-sized businesses (SMBs), cybersecurity firm Arctic Wolf reports.
Likely opportunistic, the group consists of at least some Conti-affiliated threat actors and engages in double extortion tactics, exfiltrating victim data prior to encryption and threatening to release the data publicly unless a ransom is paid.
“The group does not insist on a company paying for both decryption assistance and the deletion of data. Instead, Akira offers victims the opportunity to pick and choose what they would like to pay for,” Arctic Wolf notes.
The Akira ransomware group demands ransom payments ranging between $200,000 and $4 million. If the victim does not pay, their name and data are added to the group’s leak site.
At least 63 organizations have been listed on the site since March 2023, but some of them have been removed. Roughly 80% of the victims are SMBs.
Distributed via the ransomware-as-a-service (RaaS) business model, Akira is a fast-growing threat that leverages compromised credentials for intrusion. Most of the victims, Arctic Wolf says, did not have multi-factor authentication (MFA) enabled on their VPNs.
According to CloudSek, the group also uses malicious email attachments, malicious ads, and pirated software to spread the ransomware, and exploits unpatched vulnerabilities in VPN endpoints. It was also observed exploiting VMware ESXi vulnerabilities for lateral movement.
The group uses multiple readily available tools to obtain initial access to a victim’s environment and to perform system and data discovery, exfiltration, and command-and-control (C&C) activities.
The cybersecurity firm also identified code overlaps with the Conti ransomware, including similar functions and a similar implementation of the ChaCha algorithm for encryption.
Following the release of a decryptor for Akira on June 29, the ransomware operators modified the encryption routine, to prevent free file recovery.
Arctic Wolf also dived into the cryptocurrency wallet addresses used by the Akira ransomware operators, identifying additional wallets, and discovering overlaps with Conti activity, including three transactions in which over $600,000 were sent to Conti-affiliated addresses.
“Although Conti disbanded after increased pressure due to internal conflict and the publishing of their source code, many of the Conti members have continued to wreak havoc on organizations in 2023 through their activity with other Ransomware-as-a-Service groups, including Akira,” Arctic Wolf notes.
Related: Nubeva’s Ransomware Key Interception and Decryption Technology Validated in Third-Party Lab
Related: Tampa General Hospital Says Patient Information Stolen in Ransomware Attack
Related: Cosmetics Giant Estée Lauder Targeted by Two Ransomware Groups
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
