The Akira ransomware syndicate has amassed approximately $42 million in ill-gotten gains by breaching the networks of over 250 victims as of January 1, 2024.
A joint alert issued by cybersecurity agencies from the Netherlands, the U.S., and Europol’s European Cybercrime Centre (EC3) revealed that since March 2023, the Akira ransomware has targeted various businesses and critical infrastructure entities across North America, Europe, and Australia.
In April 2023, the threat actors behind Akira pivoted to a Linux variant, particularly targeting VMware ESXi virtual machines, following an initial focus on Windows systems.
Initially employing a C++ variant of the locker, the group transitioned to a Rust-based code by August 2023. It’s important to note that this e-crime actor is distinct from the Akira ransomware family active in 2017.
The syndicate gains initial access to target networks by exploiting known vulnerabilities in Cisco appliances, such as CVE-2020-3259 and CVE-2023-20269. Alternate entry points include Remote Desktop Protocol (RDP), spear-phishing, valid credentials, and VPN services lacking multi-factor authentication (MFA).
To establish persistence, Akira actors create a new domain account on compromised systems and circumvent detection by exploiting the Zemana AntiMalware driver to terminate antivirus processes through a Bring Your Own Vulnerable Driver (BYOVD) attack.
For privilege escalation, the threat actors utilize credential scraping tools like Mimikatz and LaZagne, leveraging Windows RDP for lateral movement within the victim’s network. Data exfiltration is accomplished using tools such as FileZilla, WinRAR, WinSCP, and RClone.
“Akira ransomware employs a hybrid encryption algorithm combining Chacha20 and RSA,” noted Trend Micro in an October 2023 analysis. “Additionally, the ransomware binary includes a feature to hinder system recovery by deleting shadow copies.”
Blockchain and source code data suggest that the Akira ransomware group may have ties to the now-defunct Conti ransomware gang. Although Avast released a decryptor for Akira last July, it’s probable that the vulnerabilities have been addressed since then.
The expansion of Akira’s operations to target Linux enterprise environments mirrors similar moves by other ransomware families such as LockBit, Cl0p, Royal, Monti, and RTM Locker.
LockBit’s Struggles Post-Takedown Trend Micro disclosed that the significant law enforcement takedown of the LockBit gang in February has severely impacted the group’s ability to recover, leading it to showcase old and fabricated victims on its new data leak site.
LockBit, previously one of the most widely used Ransomware-as-a-Service (RaaS) strains, suffered operational setbacks following the takedown, prompting it to focus on inflating victim counts and targeting countries involved in the disruption.
The connection between a LockBit administrator and a journalist in Sevastopol known as Colonel Cassad, who solicited donations for Russian militia group operations, was revealed by Chainalysis. Cisco Talos had previously linked Colonel Cassad (aka Boris Rozhin) to an anti-Ukraine disinformation campaign orchestrated by the Russian state-sponsored group APT28.
Agenda Ransomware’s Rust Upgrade In another development, the Agenda ransomware group has upgraded to an updated Rust variant to target VMWare vCenter and ESXi servers via Remote Monitoring and Management (RMM) tools and Cobalt Strike.
This demonstrates the group’s expansion to new targets and systems, further illustrating the evolving landscape of ransomware threats.
As the ransomware landscape evolves, there’s a growing trend of “crude, cheap ransomware” being utilized in real-world attacks, enabling lower-tier threat actors to profit without the need for sophisticated infrastructure.
These ransomware variants, available for a one-time price as low as $20, pose a significant threat to small companies and individuals, who may lack the resources to defend against or respond effectively to such attacks.
In summary, the rise of inexpensive ransomware variants underscores the need for enhanced cybersecurity measures and proactive defense strategies to mitigate the evolving threat landscape.
