Warning Issued About Akira Ransomware as Attacks on Critical Infrastructure Accelerate
A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), Department of Health and Human Services (HHS), and international law enforcement partners about the Akira ransomware group, which has accelerated its attacks on critical infrastructure in recent months.
According to the FBI, Akira has been paid more than $244 million in ransoms since the group was first identified in March 2023. While Akira primarily targets small- to medium-sized organizations, the group has also attacked larger organizations, favoring sectors such as manufacturing, education, information technology, healthcare, financial services, and food and agriculture.
The group’s tactics are constantly evolving. While the group initially targeted Windows systems, a Linux version of its encryptor has been developed that is used to target VMware Elastic Sky X Integrated (ESXi) virtual machines (VMs), and recently the group has been observed encrypting Nutanix AHV VM disk files.
Akira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords. Akira may also purchase access to compromised networks from initial access brokers. The group typically targets virtual private network (VPN) services that do not have multifactor authentication enabled, although vulnerabilities are also exploited. Akira has been observed exploiting vulnerabilities in Cisco devices (CVE-2020-3259; CVE-2023-70766) and has recently been observed exploiting a vulnerability in SonicWall Firewall devices (CVE-2024-40766). Once access has been gained, the group maintains persistence by using legitimate remote access tools such as LogMeIn and AnyDesk.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Like many other ransomware groups, Akira engages in double extortion tactics, stealing data and encrypting files, then demanding payment to prevent the publication of the stolen data on its leak site and to obtain the decryptrion keys.
“The threat of ransomware from groups like Akira is real and organizations need to take it seriously, with swift implementation of mitigation measures,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. The joint advisory about Akira ransomware was first issued in April 2024, but has now been updated with new tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) from recent attacks, including new recommended mitigations. The most important mitigations are to ensure that vulnerabilities are patched promptly, especially the vulnerabilities detailed in the advisory; to implement and enforce phishing-resistant multifactor authentication; and to ensure that backups are made of all critical data, storing backups securely offline.
