October 22, 2024 at 11:36AM
Akira ransomware is returning to traditional encryption tactics after a hiatus from double extortion. Researchers note a shift towards operational efficiency and tactical adaptability, suspecting the development of a new encryptor. Akira targets vulnerabilities, particularly on ESXi and Linux systems, leveraging compromised credentials and phishing techniques to exploit networks.
### Meeting Takeaways: Akira Ransomware Update
#### Overview:
– The Akira ransomware group has shifted back to encrypting victims’ files, moving away from previous double extortion tactics.
– Security researchers James Nutland and Michael Szeliga from Cisco Talos highlight this change as a potential move towards enhancing operational stability and efficiency for their affiliate program.
#### Key Insights:
1. **Operational Strategy Shift**:
– Akira’s recent activities suggest a reversion to older methods after a period focused on data theft with no encryption.
– The group’s prior method mirrored practices from other ransomware operations, emphasizing direct data theft rather than encryption.
2. **Technical Development**:
– The Akira group initially used a C++ encryptor for Windows and later adopted a Rust-based variant for Linux.
– Recent observations indicate they have incorporated C++ samples similar to their initial payload, indicating a consolidation of tools and a return to reliable coding methods.
3. **Adaptability and Evolution**:
– The use of diverse coding frameworks suggests an ongoing adaptability and experimentation with ransomware variants.
– Akira remains committed to refining its tactics, including exploiting high-impact vulnerabilities and targeting ESXi and Linux systems for maximum disruption.
4. **Prolific Status**:
– According to Microsoft, Akira is currently the most prolific ransomware group, responsible for 17% of all attacks in the past year, partially due to talent shifts from disrupted groups like LockBit and BlackCat.
5. **Vulnerability Exploitation**:
– Akira continues to take advantage of specific vulnerabilities, including the recent critical SonicWall vulnerability (CVE-2024-40766). Older vulnerabilities remain in use as well.
– Affiliates utilize various initial access techniques, such as leveraging VPN credentials, identity compromise, and multiple phishing methods.
6. **Recommendations for Organizations**:
– Organizations should prioritize awareness of vulnerabilities targeted by Akira and ensure timely patching.
– Implementing strong detection measures against initial access techniques is essential to remain protected against ransomware attacks.
– Focus on mitigating risks associated with unmanaged devices, which are responsible for the vast majority (92%) of encryption incidents.
#### Conclusion:
Organizations must remain vigilant and adaptable in their cybersecurity measures to combat evolving ransomware threats, particularly from groups like Akira. Key actions include diligent vulnerability management and enhancing detection and response strategies to protect against potential exploits.