The Akira ransomware has been around for just more than a year, but has caused its share of damage, racking up more than 250 victims and pulling in about $42 million in ransom, according to law enforcement and cybersecurity agencies in the United States and Europe.
Akira was first detected in 2023, showing itself to be a highly adaptable and constantly evolvingthe agencies – CISA and the FBI in the United States, Europol’s European Cybercrime Centre, and the Netherlands’ National Cyber Security Centre – wrote in an advisory this month. The advisory is the latest in the #StopRansomware series CISA, the FBI, and other organizations are issuing to alert organizations to threats from prolific ransomware gangs.
The group, which has attacked businesses and critical infrastructure organizations in North America, Europe, and Australia, initially targeted Windows systems but soon after also deployed a Linux variant used for VMware ESXi virtual machines. In addition, early versions of the ransomware were written in C++ and encrypted files with a .akira extention, though in August 2023 cybersecurity experts began seeing campaigns deploying “Magazord,” a variant written in Rust and encrypting files with a .powerranges extension.
Since then, bad actors using Akira have used both Megazord and Akira – including an Akira_v2 variant – interchangeably and, in some cases, at the same time.
“Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event,” the agencies wrote in the alert. “This marks a shift from recently reported Akira affiliate activity. Akira threat actors were first observed deploying the Windows-specific ‘Megazord’ ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, ‘Akira_v2’).”
Targeting Linux Systems
It’s not surprising that Akira and other threat groups now have Linux systems in their crosshairs, according to Patrick Tiquet, vice president of security and architecture at Keeper Security. Systems running Microsoft’s Windows have always been targeted given their widespread use in corporate networks.
“However, organizations have increasingly been adopting Linux-based infrastructure, particularly in critical sectors like finance, healthcare and government – and we’re seeing threat actors adapt their tactics to capitalize on this trend,” Tiquet said. “Linux servers often host critical applications and data, making them attractive targets for extortion.”
He added that “the open-source nature of Linux allows threat actors to analyze and exploit vulnerabilities more easily, potentially leading to larger-scale attacks with greater impact.”
Omri Weinberg, co-founder and chief revenue officer at DoControl, noted that while Windows is prone to 85% of known ransomware attack, Linux is attractive to cybercriminals because servers running the operating system house large data stores, networks, and web services for both enterprises and government entities.
“In the end, both operating systems are targets due to unpatched vulnerabilities in their code base, which can be taken advantage of by cyberattackers,” Weinberg said. “Linux offers a different way into corporations, as vulnerabilities in the operating system open up the ability to infiltrate files and services, and changes the ransomware game by escalating access privileges, or by injecting executables with malignancies that carry out a command-and-control attack to encrypt an entire environment.”
What Akira Does
According to the advisory, Akira – which cybersecurity firm Arctic Wolf noted last year had ties to the now-disbanded Conti ransomware group – gains initial access by exploiting Cisco vulnerabilities in VPN services that don’t use multifactor authentication (MFA), as well as leveraging external-facing services like Remote Desk Protocol (RDP), spearphishing, and abusing valid credentials.
Once in the systems, threat actors create new domain accounts to establish persistent and use Kerberoasting to crack password hashes for service accounts in Active Directory, credential-scraping tools like Mimikatz and LaZagne for privilege escalation, and SoftPerfect and Advanced IP Scanner to discovery network devices for reconnaissance purposes.
To evade detection, Akira actors will disable security software and then use tools like FileZilla, WinRAR, WinSCP, and RClone to exfiltrate data from compromised systems. In December, Morgan Demboski, a threat intelligence analyst with cybersecurity firm Sophos’ managed detection and response team, wrote that over previous months Akira threat groups started focusing more on exfiltrating data from victims for extortion purposes rather than encrypting the data.
“Though only noted in a handful of cases, Akira’s recent trend of exfiltration without encryption by Akira may indicate new tactics by the actors to extort victims without the added detection risk that ransomware deployment might trigger,” Demboski wrote at the time.
That said, encryption is still on the menu, CISA and the FBI wrote, noting that “Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption.”
Recent Articles By Author
GIPHY App Key not set. Please check settings