The FBI and Cybersecurity and Infrastructure Security Agency on Thursday warned that Akira ransomware is actively launching attacks against critical industries by exploiting vulnerabilities in edge devices and backup servers.
Akira ransomware has been linked to a range of threat activity in recent months, including a surge in attacks targeting SonicWall firewall customers beginning in July. U.S. officials warned that Akira has been expanding a wide range of attacks dating up to this month and the hackers have been collaborating with other threat groups.
“This group primarily attacks small, medium-sized businesses, but has also attacked larger organizations across several sectors,” Nick Andersen, executive assistant director for the Cybersecurity Division at CISA, told reporters during a Thursday conference call.
The targets have also included manufacturing, education, healthcare, IT, financial and food and agricultural companies.
As of September, the group has claimed more than $244 million in proceeds from these attacks, Brett Leatherman, assistant director of the FBI Cyber Division, said.
The group has targeted VPNs, including SonicWall products, by either stealing credentials or exploiting vulnerabilities like CVE-2024-40766, according to an updated advisory from the FBI and CISA.
Earlier this year the group gained access through a VPN that did not have multifactor authentication. The group has exploited vulnerabilities in Cisco products, including CVE-2020-3259 and CVE-2023-20269.
The group has abused remote access tools like AnyDesk or LogMeIn, in order to maintain persistence inside a system.
Akira has used a double extortion method to encrypt data and threaten to leak the data on their Tor network, according to the advisory.