Akira Ransomware Launches New Cyberattacks Using Stolen Credentials and Public Tools

The Akira ransomware group has intensified its operations, targeting over 350 organizations and claiming approximately $42 million USD in ransom proceeds by the beginning of 2024.

This sophisticated cybercriminal entity has been deploying a strategy known as “double extortion,” where data is encrypted and simultaneously stolen, with threats to leak the information unless a ransom is paid.

Exploitation Techniques and Initial Access

Akira’s modus operandi includes the exploitation of compromised credentials to gain initial access to networks, often bypassing single-factor authentication mechanisms like VPNs.

The group has shown a particular interest in targeting mid-sized businesses, with a focus on sectors such as education, finance, manufacturing, and healthcare in North America, Europe, and Australia.

Their initial access tactics involve various known vulnerabilities, particularly in Cisco Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software, identified by CVEs like CVE-2020-3259 and CVE-2023-20269.

The Akira ransomware has evolved from its initial C++ based code to incorporate Rust-based implementations named “Megazord,” encrypting files with the .powerranges extension.

According to Dark Atlas Report, this shift to Rust signifies an attempt to enhance the speed and robustness of their encryption processes, making recovery efforts by victims more challenging.

The group’s latest variant, Akira_v2, includes advanced features like the ability to insert additional threads for faster encryption, tailored encryption methods based on file type and size, and the use of unique Build IDs to thwart dynamic analysis.

Data Exfiltration Tactics

Once inside a network, Akira employs a range of publicly available tools for reconnaissance and data exfiltration.

Tools such as Advanced IP Scanner, SoftPerfect Network Scanner, and Nltest are used for network discovery, while legitimate software like AnyDesk, PuTTy, and RClone facilitate remote access and data transfer to cloud services or FTP servers they control.

This exfiltration stage is crucial in their double extortion strategy, where they threaten to leak stolen data on the dark web if ransoms are not met.

After setting up persistence through creating new domain accounts, Akira deploys its ransomware payloads targeting different system architectures within the same attack.

Their encryption process involves a hybrid scheme combining ChaCha20 for speed with RSA for secure key exchange, capable of both full and partial encryption.

Moreover, Akira uses PowerShell commands to delete volume shadow copies, hindering system recovery efforts.

From November 13 to 14, Akira posted over 30 new victims on their data leak site, marking their highest single-day activity since operations began.

This escalation indicates an aggressive expansion of their operations, with a notable impact on sectors critical to both economy and security.

The group’s activities have been associated with cybercrime groups like GOLD SAHARA and PUNK SPIDER, indicating a broad and possibly expanding network of affiliates or operators.

The continuous adaptation by Akira underscores the critical need for robust cybersecurity measures, including multi-factor authentication for VPN access and regular backups of critical data.

Organizations must remain vigilant and proactive in their defense strategies to mitigate the growing threat from groups like Akira.

Indicators of Compromise (IOC):

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!