April 19, 2024 at 08:04AM
Akira ransomware has victimized over 250 organizations globally, collecting $42 million in ransom payments. Initially targeting Windows systems, it has expanded to infect VMware ESXi virtual machines. Through various tactics like targeting VPN services and known vulnerabilities in Cisco products, the operators gain access to victims’ environments. They then deploy distinct ransomware variants and threaten to publish exfiltrated data if ransoms are not paid. CISA, the FBI, Europol, and NCSC-NL advise on mitigations.
Based on the meeting notes, here are the key takeaways:
1. The Akira ransomware has targeted over 250 victims globally, resulting in over $42 million in ransom payments.
2. Operates have targeted organizations across various sectors, including services and goods, manufacturing, education, construction, critical infrastructure, finance, healthcare, and legal sectors.
3. Akira ransomware initially targeted Windows systems but has since expanded to infect VMware ESXi virtual machines since April 2023, in conjunction with Megazord starting August 2023.
4. The operators primarily gain initial access by targeting VPN services lacking multi-factor authentication, utilizing known vulnerabilities in Cisco products, remote desktop protocol (RDP), spear-phishing, and valid credentials.
5. Threat actors create new domain accounts for persistence, extract credentials, and perform network and domain controller discovery.
6. Akira operators disable security software to evade detection and use various tools for data exfiltration and establishing command-and-control communication.
7. Upon encryption of data, victims are instructed to contact the attackers via a Tor-based site and are compelled to pay a ransom in Bitcoin, with the threat of data publication on the Tor network.
8. The advisory includes indicators of compromise (IoCs) associated with Akira and recommended mitigations for network defenders.
Let me know if you need anything else.