April 19, 2024 at 07:48AM
The Akira ransomware group has extorted $42 million from over 250 victims by targeting businesses and critical infrastructure worldwide. They initially focused on Windows systems before deploying a Linux variant. The group exploits known vulnerabilities in Cisco appliances and uses various methods to establish persistence and evade detection. Akira is also affiliated with the Conti ransomware gang and has evolved to target Linux enterprise environments. Additionally, the LockBit ransomware gang has faced operational and reputational challenges following a law enforcement takedown, prompting them to inflate their apparent victim count. The development also includes the Agenda ransomware group’s use of an updated Rust variant to target virtual machine infrastructure. Lower-tier threat actors can now exploit “junk-gun” ransomware as a cheap and easily accessible tool for profit.
From the meeting notes, it is evident that the Akira ransomware group has extorted approximately $42 million from over 250 victims as of January 1, 2024. The group has targeted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia since March 2023, incorporating both Windows and Linux systems.
Akira actors have gained initial access to target networks using known flaws in Cisco appliances, Remote Desktop Protocol (RDP), spear-phishing, valid credentials, and virtual private network (VPN) services lacking in multi-factor authentication (MFA) protections. The group has been observed leveraging various tactics to set up persistence and evade detection, while also using credential scraping tools for privilege escalation and Windows RDP for lateral movement within victim networks. Furthermore, data exfiltration is accomplished through various designated tools.
The Akira ransomware encrypts targeted systems using a hybrid encryption algorithm and inhibits system recovery by deleting shadow copies from affected systems. There are also indications that the Akira ransomware group is associated with the now-defunct Conti ransomware gang.
Additionally, the meeting notes discussed the operational and reputational impact on the LockBit gang following a law enforcement takedown, as well as the Agenda ransomware group’s use of an updated Rust variant to infect VMWare vCenter and ESXi servers through RMM tools and Cobalt Strike.
Furthermore, the notes detailed the emergence of “crude, cheap ransomware” in the cybercrime underground, allowing lower-tier individual threat actors to generate significant profit independently.
Finally, the meeting notes concluded with an invitation to follow for more exclusive content.