Analysis Summary

A joint alert from the FBI, CISA, the Netherlands' National Cyber Security Centre (NCSC-NL), Europol's European Cybercrime Centre (EC3), and CISA states that over 250 businesses' networks have been compromised by the Akira ransomware operation, which has collected almost $42 million in extortion payments.

Akira first surfaced in March 2023 and rose to prominence shortly after, picking victims from a variety of global industry verticals. The group's ransomware developers produced and released a Linux encryptor by June 2023 with the intention of targeting VMware ESXi virtual machines, which are frequently utilized in enterprise settings. Negotiation discussions indicate that Akira operators are requesting ransoms in the range of $200,000 to millions of dollars, contingent on the size of the compromised entity.

The ransomware gang has affected more than 250 enterprises as of January 1, 2024, and it has claimed ransomware proceeds of about $42 million (USD). The Akira ransomware has affected numerous companies and vital infrastructure organizations in North America, Europe, and Australia since March 2023.

Akira has most recently claimed ransomware attacks on Stanford University, which also disclosed last month that it had discovered a compromise compromising the personal data of 27,000 people, and Nissan Oceania, which in March warned of a data breach affecting 100,000 people. Since it first appeared last year, the ransomware gang has added more than 230 firms to its dark web leak website.

Network defenders are strongly encouraged to implement multifactor authentication (MFA) using strong passwords across all services, particularly for webmail, VPN, and accounts connected to important systems, and to prioritize repairing vulnerabilities that have already been exploited. In addition, they must prioritize vulnerability assessments as essential elements of their normal security procedures and regularly upgrade software to the most recent versions.

Impact

• Financial Loss
• File Encryption
• Sensitive Data Theft

Indicators of Compromise

SHA1

• efb651a5c755a9a5a96b08ddda736efd0bc03315
• 94ed0a9c9c9fe568dc814218edeb17b951fc78a8
• a129c2cff13f7672e27f4c43608da2293e1b5bb7
• 02bb630faf77a91c7de6b031b54de4467ab9da6f
• b8c1772dd0ad018cf3ed4c67eabd16c5c4e751cd
• d640d5e632d260ac5a9e26df1bdb9b337f32cbbc
• 09f85d9c0de66c8f807bd1e12f55617e3fed3bf8
• 73ee462cb96f4857f9f5bbdc4cada5800f2b8932
• 1ff0c089c5a3b93e95c337e7644119c7bd7133c6
• f8425e27fb5340b4d50bdee1800dcc428a7d388f
• a420fbd6cb9d10db807251564c1c9e1718c6fbc5
• 5263a135f09185aa44f6b73d2f8160f56779706d
• 57e46697761aa19423765497e9e6a8abbd3f94a9

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups - In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Conduct regular backups of your important data and ensure that these backups are stored offline or in a separate network. This will help protect your data from being compromised by ransomware attacks.
• Deploy advanced threat detection and monitoring solutions to identify potential ransomware activity in real time. Monitor network traffic, system logs, and behavior anomalies to detect and respond to ransomware incidents promptly.
• Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• If a device on the network has been infected with ransomware, immediately disconnect it from the network to prevent the malware from spreading to other devices. This will help contain the attack and limit further damage.
• Disconnect external storage devices if connected.
• Implement the principle of least privilege by granting employees the minimum access rights required to perform their tasks. Regularly review and update user access privileges to prevent unauthorized access and limit the impact of ransomware.