CISA: Akira ransomware extorted $42M from 250+ victims

The Akira ransomware gang has gained approximately $42 million from more than 250 victims, according to a security advisory CISA released Thursday.

The advisory, which was issued jointly with the FBI, Europol's European Cybercrime Centre and the Netherlands' National Cyber Security Centre, was published to share known indicators of compromise and tactics, techniques and procedures with defenders. According to the agencies, since March 2023 Akira "has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia."

Most notably, Akira targeted Cisco VPNs in a series of attacks last year, and Sophos tracked Akira as the second-most prolific ransomware gang of 2023 in its "Active Adversary Report" released this month. CISA noted the former campaign in its advisory in reference to common ways Akira gains initial access.

"The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured, mostly using known Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269," the advisory read. "Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP), spear phishing, and the abuse of valid credentials."

Once the threat actors get initial access, they "abuse the functions of domain controllers by creating new domain accounts to establish persistence." Common post-exploitation techniques include "Kerberoasting" for credential extraction, credential scraping tools like Mimikatz for privilege escalation, and tools like Advanced IP Scanner and SoftPerfect for further device discovery. On the encryption end, CISA said Akira utilized a "sophisticated hybrid encryption scheme," which combines "a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange."

In addition, the group has been observed deploying two ransomware variants on different system architectures.

"Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event," the advisory read. "This marks a shift from recently reported Akira ransomware activity. Akira threat actors were first observed deploying the Windows-specific 'Megazord' ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, 'Akira_v2')."

The advisory also includes a list of tools utilized by Akira, indicators of compromise and a list of Mitre ATT&CK tactics and techniques.

The joint advisory's list of mitigations is consistent with previous CISA advisories. The U.S. cybersecurity agency recommends organizations implement a recovery plan, require multifactor authentication, stay up to date on patches and segment networks, among other recommendations.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.