In March of 2023, the Akira ransomware strain was first detected, and since then, the group has targeted over 100 different organizations in various sectors, including financial, manufacturing, real estate, healthcare, and medical. The group operates on a Ransomware-as-a-Service (RaaS) model and employs a double-extortion scheme by exfiltrating sensitive data before encrypting devices and then demanding a ransom in exchange for not releasing the data to their TOR leak site.
Most recently, the Akira ransomware interrupted a U.S. emergency dispatch system, resulting in a nine-day operational outage. During this period, dispatchers had to rely on backup systems, and as of the latest update, the full restoration of the system is still underway.
The Akira ransomware gang is known for its retro aesthetic, reminiscent of 1980s green screen consoles, and has been linked to the notorious Conti ransomware operation through cryptocurrency transactions, indicating a potential association between the two groups.
The group typically gains unauthorized access to organizations’ VPNs using compromised username/password combinations, allowing them to move laterally within the network and exploit various vulnerabilities in the system. The use of tools and techniques such as Remote Desktop Protocol (RDP) and service manager tools helps them gain persistent access within systems and evade security defenses.
The Akira ransomware group relies on a command and control (C2) mechanism to execute their activities, establishing communication with compromised machines and exerting control over the network. They also employ various tools for data exfiltration and utilize a combination of AES and RSA algorithms for data encryption, complicating the process of data restoration for victims.
To prevent and defend against Akira ransomware attacks, organizations are advised to enhance their identity and access management, store credentials securely, and proactively patch and monitor their network for unusual activities. Additionally, securing C2 channels and remote desktop protocols, implementing endpoint protection, and regularly updating security solutions are recommended measures to mitigate the risk of Akira ransomware attacks.