Akira ransomware has undergone significant changes and enhancements since it first emerged as a threat in March. Initially, it targeted Windows systems, but it has since evolved to include Linux servers. This shift has been accompanied by the adoption of a wide range of tactics, techniques, and procedures (TTPs). A detailed report from LogPoint provides an in-depth analysis of this “highly sophisticated” ransomware, outlining its encryption methods, deletion of shadow copies, and demands for ransom payments.
One of the primary entry points for the infection chain is through exploiting the CVE-2023-20269 vulnerability in Cisco ASA VPNs lacking multifactor authentication. This vulnerability allows the attackers to gain access to the systems they target. The group behind Akira has successfully attacked 110 victims as of early September, with the majority of their focus being on targets in the United States and the United Kingdom. Notable victims of the ransomware include Intertek, a British quality-assurance company, as well as various manufacturing, professional services, and automotive organizations.
According to a report from GuidePoint Security’s GRI, educational organizations have been disproportionately targeted by Akira, accounting for eight of the 36 observed victims. The campaign involves multiple malware samples that carry out various steps, including deleting shadow copies, searching and encrypting files, and performing system enumeration.
One notable aspect of Akira’s attack methodology is its use of a double-extortion method. After gaining access to a victim’s system, the group steals personal data, encrypts it, and then extorts money from the victims. If the victims refuse to pay, the group threatens to release the data on the Dark Web. To carry out their attacks, Akira utilizes various tools such as AnyDesk and RustDesk for remote desktop access, WinRAR for encryption and archiving, and PC Hunter and wmiexc for lateral movement within breached systems.
To evade detection by Windows Defender, the group can disable real-time monitoring, and shadow copies are deleted using PowerShell. Payment instructions and decryption assistance are dropped into multiple files across the victim’s system in ransom note files. Anish Bogati, a security research engineer at LogPoint, highlights the concern surrounding Akira’s use of Windows internal binary (LOLBAS) for execution, credential retrieval, evading defense mechanisms, facilitating lateral movement, and deleting backups and shadow copies.
In response to this evolving threat, Bogati recommends implementing multi-factor authentication (MFA) and limiting permissions to prevent brute-forcing of credentials. Regular software and system updates are also crucial to stay ahead of adversaries who exploit newly discovered vulnerabilities. The report also advises auditing privileged accounts and conducting regular security awareness training. Network segmentation is another recommended measure to isolate critical systems and sensitive data, reducing the risk of breaches and limiting lateral movement by attackers.
The emergence of Akira, along with other new ransomware groups, has resulted in a dynamic landscape. Established groups like LockBit have seen a decrease in the number of victims, while smaller groups with distinct characteristics and targets have grown in prominence. Some of these newer groups include 8Base, Malas, Rancoz, and BlackSuit. Bogati warns that Akira is likely to become one of the most active threat actors given its increasing victim count and the development of multiple malware variants with various capabilities. They are constantly searching for opportunities to exploit unpatched systems.
In conclusion, the Akira ransomware has evolved significantly since its emergence, expanding its reach to include Linux servers and employing a diverse set of tactics. The group has successfully targeted numerous victims and demonstrates a high level of sophistication in its methodology. Organizations must implement various countermeasures such as MFA, regular updates, security awareness training, and network segmentation to mitigate the risks posed by this evolving threat landscape.