Cybercrooks Behind the Akira Ransomware Made Over $42 Million in One Year

The cybercriminals responsible for the Akira Ransomware have amassed a staggering sum of over $42 million within just one year, according to reports from CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL). Their nefarious activities have victimized more than 250 entities worldwide, spanning a range of industries including services, manufacturing, education, construction, critical infrastructure, finance, healthcare, and legal sectors.

Initially confined to targeting Windows systems, the Akira Ransomware has expanded its reach to infect VMware ESXi virtual machines since April 2023. Moreover, its arsenal was bolstered with the integration of Megazord starting August 2023, as highlighted by CISA, the FBI, Europol, and NCSC-NL in a recent advisory.

The operators of Akira Ransomware have demonstrated a sophisticated modus operandi, exploiting vulnerabilities in VPN services lacking multi-factor authentication, particularly leveraging known weaknesses in Cisco products like CVE-2020-3259 and CVE-2023-20269. They have also employed tactics such as remote desktop protocol (RDP) infiltration, spear-phishing campaigns, and the utilization of valid credentials to infiltrate victims’ environments.

Post gaining initial access, these threat actors exhibit meticulous persistence strategies, creating new domain accounts, extracting credentials, and conducting extensive network and domain controller reconnaissance. The advisory underscores a notable evolution in Akira's tactics, with the deployment of two distinct ransomware variants against different system architectures within a single breach event.

In a bid to evade detection and facilitate lateral movement, the Akira operators systematically disable security software. Their toolkit includes a range of software applications for data exfiltration and establishing command-and-control communication, including FileZilla, WinRAR, WinSCP, RClone, AnyDesk, Cloudflare Tunnel, MobaXterm, Ngrok, and RustDesk.

Similar to other ransomware syndicates, Akira adopts a dual extortion model, exfiltrating victims’ data prior to encryption and demanding payment in Bitcoin via Tor-based communication channels. The attackers further escalate pressure by threatening to publicly disclose exfiltrated data on the Tor network and, in some cases, directly contacting victimized organizations.

In response to this escalating threat landscape, the advisory furnishes network defenders with indicators of compromise (IoCs) associated with Akira, along with recommended mitigation strategies to fortify their defenses against such attacks.