Threat actors behind the Akira ransomware group have extorted approximately $42 million in illicit proceeds after breaching the networks of more than 250 victims as of January 1, 2024.
“Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia,” cybersecurity agencies from the Netherlands and the U.S., along with Europol’s European Cybercrime Centre (EC3), said in a joint alert.
“In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines.”
The double-extortion group has been observed using a C++ variant of the locker in the early stages, before shifting to a Rust-based code as of August 2023. It’s worth noting that the e-crime actor is completely different from the Akira ransomware family that was active in 2017.
Initial access to target networks is facilitated by means of exploiting known flaws in Cisco appliances (e.g., CVE-2020-3259 and CVE-2023-20269).
Alternate vectors involve the use of Remote Desktop Protocol (RDP), spear-phishing, valid credentials, and virtual private network (VPN) services lacking in multi-factor authentication (MFA) protections.
Akira actors are also known to leverage various ways to set up persistence by creating a new domain account on the compromised system, as well as evade detection by abusing the Zemana AntiMalware driver to terminate antivirus-related processes via what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack.
To aid in privilege escalation, the adversary relies on credential scraping tools like Mimikatz and LaZagne, while Windows RDP is utilized to move laterally within the victim’s network. Data exfiltration is accomplished through FileZilla, WinRAR, WinSCP, and RClone.
“Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA,” Trend Micro said in an analysis of the ransomware published in October 2023.
“Additionally, the Akira ransomware binary, like most modern ransomware binaries, has a feature that allows it to inhibit system recovery by deleting shadow copies from the affected system.”
Some instances have also entailed the financially motivated gang delivering two distinct ransomware variants against different system architectures – viz., Windows and ESXi encryptors (Akira_v2) – within the same compromise event.
Blockchain and source code data suggests that Akira ransomware group is likely affiliated with the now-defunct Conti ransomware gang. A decryptor for Akira was released by Avast last July, but it’s highly likely the shortcomings have since been plugged.
Akira’s mutation to target Linux enterprise environments also follows similar moves by other established ransomware families such as LockBit, Cl0p, Royal, Monti, and RTM Locker.
LockBit’s Struggles to Come Back
The disclosure comes as Trend Micro revealed that the sweeping law enforcement takedown of the prolific LockBit gang earlier this February has had a significant operational and reputational impact on the group’s ability to bounce back, prompting it to post old and fake victims on its new data leak site.
“LockBit was one of the most prolific and widely used RaaS strains in operation, with potentially hundreds of affiliates, including many associated with other prominent strains,” Chainalysis noted in February.
The blockchain analytics firm said it uncovered cryptocurrency trails connecting a LockBit administrator to a journalist based in Sevastopol known as Colonel Cassad, who has a history of soliciting donations for Russian militia group operations in the sanctioned jurisdictions of Donetsk and Luhansk following the onset of the Russo-Ukrainian war in 2022.
It’s worth pointing out that Cisco Talos, in January 2022, linked Colonel Cassad (aka Boris Rozhin) to an anti-Ukraine disinformation campaign orchestrated by the Russian state-sponsored group known as APT28.
“Following the operation, LockBitSupp [the alleged leader of LockBit] appears to be attempting to inflate the apparent victim count while also focusing on posting victims from countries whose law enforcement agencies participated in the disruption,” Trend Micro said in a recent deep dive.