Akira Ransomware Banks $42 Million in Ransom Payments Over a Single Year
Since early 2023, Akira ransomware has targeted more than 250 victims globally and collected over $42 million in ransom payments, according to CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL).
The operators of Akira ransomware have been observed attacking organizations across various sectors, including services and goods, manufacturing, education, construction, critical infrastructure, finance, healthcare, and legal industries.
Initially focused on Windows systems, Akira has expanded its reach to infect VMware ESXi virtual machines since April 2023 and has been used in conjunction with Megazord since August 2023, as highlighted in an advisory by CISA, the FBI, Europol, and NCSC-NL.
To gain initial access, the operators of Akira ransomware targeted VPN services lacking multi-factor authentication, primarily exploiting known vulnerabilities in Cisco products (such as CVE-2020-3259 and CVE-2023-20269). They also utilized remote desktop protocol (RDP), spear-phishing, and stolen credentials to breach victims’ environments.
After gaining access, the threat actors created new domain accounts for persistence, including administrative accounts in some cases, extracted credentials, and conducted network and domain controller reconnaissance.
Threat Actor Operating Akira Runs Two Distinct Variants
Based on credible third-party investigations, Akira threat actors have been observed deploying two distinct ransomware variants targeting different system architectures within the same compromise event. This represents a shift from previously reported Akira ransomware activity, the advisory stated.
In preparation for lateral movement within networks, the Akira operators disabled security software to evade detection. They were also observed using tools such as FileZilla, WinRAR, WinSCP, and RClone for data exfiltration, and AnyDesk, Cloudflare Tunnel, MobaXterm, Ngrok, and RustDesk to establish command-and-control (C&C) communication.
Similar to other ransomware groups, Akira exfiltrates victims’ data before encrypting it. Victims are instructed to contact the attackers via a Tor-based website and subsequently directed to pay ransom in Bitcoin.
To apply further pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network and have even contacted victimized companies in some instances, noted CISA, the FBI, Europol, and NCSC-NL.