Akira Ransomware Banks $42 Million in Ransom Payments Over a Single Year

Since early 2023, Akira ransomware has targeted more than 250 victims globally and collected over $42 million in ransom payments, according to CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL).

The operators of Akira ransomware have been observed attacking organizations across various sectors, including services and goods, manufacturing, education, construction, critical infrastructure, finance, healthcare, and legal industries.

Initially focused on Windows systems, Akira has expanded its reach to infect VMware ESXi virtual machines since April 2023 and has been used in conjunction with Megazord since August 2023, as highlighted in an advisory by CISA, the FBI, Europol, and NCSC-NL.

To gain initial access, the operators of Akira ransomware targeted VPN services lacking multi-factor authentication, primarily exploiting known vulnerabilities in Cisco products (such as CVE-2020-3259 and CVE-2023-20269). They also utilized remote desktop protocol (RDP), spear-phishing, and stolen credentials to breach victims’ environments.

After gaining access, the threat actors created new domain accounts for persistence, including administrative accounts in some cases, extracted credentials, and conducted network and domain controller reconnaissance.

Threat Actor Operating Akira Runs Two Distinct Variants

Based on credible third-party investigations, Akira threat actors have been observed deploying two distinct ransomware variants targeting different system architectures within the same compromise event. This represents a shift from previously reported Akira ransomware activity, the advisory stated.

In preparation for lateral movement within networks, the Akira operators disabled security software to evade detection. They were also observed using tools such as FileZilla, WinRAR, WinSCP, and RClone for data exfiltration, and AnyDesk, Cloudflare Tunnel, MobaXterm, Ngrok, and RustDesk to establish command-and-control (C&C) communication.

Similar to other ransomware groups, Akira exfiltrates victims’ data before encrypting it. Victims are instructed to contact the attackers via a Tor-based website and subsequently directed to pay ransom in Bitcoin.

To apply further pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network and have even contacted victimized companies in some instances, noted CISA, the FBI, Europol, and NCSC-NL.

By Zaib
April 26, 2024
Computer Security, Ransomware
English
April 26, 2024
Computer Security, Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Error: Ox800VDS Pop-up Scam

1 month ago

Softcnapp Potentially Unwanted Application

2 months ago

Alrucs Service Trojan

23 days ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

9 months ago

Alludesgroup.com Attempts to Slip You Ads

16 days ago

Related Posts

Ransomware

Lumino_Ransom Ransomware Contains Bilingual Ransom Note

Lumino_Ransom is a new ransomware variant discovered in late October 2022. It does not belong to any of the big families of ransomware clones. Lumino will encrypt the system and scramble files on it. Once encrypted,... Read more

October 21, 2022
Ransomware

Prestige Ransomware Lists No Ransom Demands

Prestige is the name of a new ransomware variant that is not related to any of the big ransomware families. Prestige will encrypt files found on the victim system's drives once deployed, scrambling their contents and... Read more

October 26, 2022
Ransomware

Harditem Ransomware

Harditem is the name of a newly discovered strain of ransomware. The malicious program behaves like you would expect it to - it encrypts files on the victim system, scrambling most document, media and archive file... Read more

June 23, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.