CISA, FBI, and International Partners Issue Advisory on Akira Ransomware on April 18, 2024
CISA, the Federal Bureau of Investigation (FBI), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Akira Ransomware, to publish known Akira ransomware tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified through FBI investigations as recently as February 2024.
"Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia," cybersecurity agencies from the Netherlands and the U.S., along with Europol's European Cybercrime Centre (EC3), stated in a joint alert.
Published Date: 04/18/2024
Summary:
Evolving from an initial focus on Windows systems to a Linux variant targeting VMware ESXi virtual machines, Akira threat actors began deploying Megazord (a Rust-based code) and Akira (written in C++), including Akira_v2 (also Rust-based) in August 2023. Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia and has extorted approximately $42 million (USD) in ransomware illegal profits after breaching the networks of more than 250 victims as of January 1, 2024.
According to analysis by Trend Micro, "Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA. Additionally, the Akira ransomware binary, like most modern ransomware binaries, has a feature that allows it to inhibit system recovery by deleting shadow copies from the affected system."
Infiltration Tactics:
Exploiting vulnerabilities in virtual private network (VPN) services, particularly those without multifactor authentication (MFA), is usually the first step in this type of ransomware attack. In order to gain initial access, Akira threat actors take advantage of existing vulnerabilities in Cisco systems, as shown in CVE-2020-3259 and CVE-2023-20269. Additionally, Remote Desktop Protocol (RDP) and spear phishing are other examples of external-facing services that act as access points, stressing the urgency of strong cybersecurity policies.
Evasion Strategies:
Akira hackers use a variety of evasion techniques to avoid detection, such as turning off security software and making use of weaknesses in antivirus programs. To further evade detection, they take advantage of PowerTool to exploit the Zemana AntiMalware driver. Other tools in their arsenal include programs such as FileZilla and WinSCP for data exfiltration to cover their tracks.
Targeting and Scope of Attacks:
Recent research shows that while Akira victims are located worldwide, they focus on the United States, specifically organizations in California, Texas, Illinois, and the East Coast, especially the Northeast, as these states are home to Akira's most targeted industries which include materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare.
CISA and partners encourage critical infrastructure organizations to review and implement the mitigations provided in the joint CSA to reduce the likelihood and impact of Akira and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage and the updated #StopRansomware Guide.