CISA & Partners Share New Threat Intelligence on Akira Ransomware
The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) have issued a joint cybersecurity advisory about the Akira ransomware operation, which has conducted more than 250 attacks and has been paid around $42 million in ransom payments. The group’s operators are highly skilled and are associated with the infamous Conti ransomware operation.
Akira is a relatively new ransomware group that emerged in April 2023 that mostly targets small- to medium-sized businesses and demands ransom payments from around $200,000 to millions of dollars. The group has attacked many verticals including finance, real estate, manufacturing, and healthcare. Attacks on healthcare targets prompted the Health Sector Cybersecurity Coordination Center to issue a Sector Alert about Akira ransomware in September 2023. The latest cybersecurity advisory from CISA and Partners shares information on the latest tactics, techniques, and procedures (TTPs) used by the group, updated indicators of compromise (IoCs), and recommended mitigations for network defenders.
Akira has been observed gaining initial access to victims’ networks through a Virtual Private Network (VPN) service without multifactor authentication, primarily through the exploitation of the Cisco vulnerabilities CVE-20203259 and CVE-2023-20269. The group also targets external facing services including Remote Desktop Protocol (RDP), abuses valid credentials, and conducts spear phishing attacks.
When a corporate network has been breached, the group moves laterally and attempts to obtain Windows domain credentials, then deploys ransomware to encrypt files. The group engages in double extortion tactics, stealing sensitive data from victims and demanding payment to prevent stolen data from being leaked and for the keys to decrypt files. Initially, the group only attacked Windows systems but has developed a Linux encryptor and now also targets VMware ESXi virtual machines. The group uses Kerberoasting techniques and Mimikatz to obtain credentials, LaZagne to help with privilege escalation, PowerTool to exploit the Zemana AntiMalware driver and terminate antivirus-related processes, and FileZilla, WinRAR, WinSCP, and RClone for data exfiltration.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The cybersecurity advisory includes several recommended mitigations to prevent and reduce the impact of Akira ransomware attacks, some of the most important of which are ensuring that patches are applied to fix known exploited vulnerabilities – especially CVE-20203259 and CVE-2023-20269, enforcing phishing-resistant multifactor authentication across the organizations in particular for VPNs, webmail, and accounts linked to critical systems, and ensuring that software is kept up to date.
