July 11, 2024 at 05:44PM
Akira ransomware attackers have shown a significant decrease in the time it takes to steal data, managing to siphon off information from a Latin American airline in just over two hours. Using SSH protocol, the threat actor gained access via an unpatched Veeam backup server and swiftly began exfiltrating data before deploying the ransomware the following day, highlighting the urgency for organizations to strengthen their defenses.
Key takeaways from the meeting notes:
1. Akira ransomware actors have accelerated their ability to steal data from victims in just over two hours, making a significant shift in the average time for cybercriminals to move from initial access to data exfiltration.
2. The BlackBerry Threat Research and Intelligence Team detailed a June Akira ransomware attack on a Latin American airline, indicating that the threat actor gained initial access through an unpatched Veeam backup server using the Secure Shell (SSH) protocol.
3. The likely perpetrator, Storm-1567, is a prolific user of the Akira ransomware-as-a-service (RaaS) platform known for double-extortion tactics and attacking Windows and Linux/VMware ESXi systems.
4. Storm-1567 swiftly siphoned off data from the Veeam backup server within 133 minutes using legitimate tools and utilities, including creating a user account, abusing network management tools, and exfiltrating data via WinSCP.
5. The attackers returned the next day to deploy the Akira ransomware after conducting further reconnaissance, exploiting vulnerabilities, and disabling antivirus protection.
6. The time taken for data exfiltration has significantly reduced, emphasizing the pressing need for robust security architecture, zero-trust framework, and meticulous perimeter patching to thwart rapid data theft by cybercriminals.
7. Basic hygiene measures like implementing port access restrictions are also crucial to increase the difficulty of data exfiltration attempts.
These takeaways underscore the urgency for organizations to enhance their cybersecurity measures to combat the increasingly speedy and sophisticated tactics employed by ransomware actors.