The Akira ransomware gang earned approximately $42 million in ransoms after breaching over 250 victims across three continents between March 2023, when the group emerged, and January 2024.
The findings were published in a joint cybersecurity advisory by the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL).
“Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia,” the advisory noted. “As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.”
The advisory also found that the ransomware gang had adopted new tactics and expanded its focus, marking a significant shift from its reported activity.
Akira ransomware gang targets VMware ESXi virtual machines
The joint advisory found that the Akira ransomware gang had shifted its focus from solely targeting Windows systems. Since April last year, the ransomware gang started targeting Linux systems and virtual machines using a custom payload.
“In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines” the agencies warned.
The advisory also noted that this development marked a significant “shift from recently reported Akira ransomware activity.”
The threat actors initially deployed a Windows-specific, C++-based Akira ransomware variant but later introduced a Rust-based “Megazord” ransomware variant in August 2023.
They also “concurrently” deployed a second payload named Akira_v2, an ESXi encryptor, alongside the Windows variants. However, they continued to deploy Megazord and Akira (and Akira_v2) interchangeably for reasons not explained in the joint cybersecurity advisory.
Akira initially focused on the Windows operating system because of its dominance in corporate networks. However, as Linux adoption continues to grow across industries, including critical infrastructure, finance, and government, the ransomware gang is keen on capitalizing on the trend, according to Patrick Tiquet, Vice President of Security & Architecture at Keeper Security.
“Linux servers often host critical applications and data, making them attractive targets for extortion,” he said. “Additionally, the open-source nature of Linux allows threat actors to analyze and exploit vulnerabilities more easily, potentially leading to larger-scale attacks with greater impact.”
“While the Windows operating system is prone to 85% of known ransomware attacks, Linux has become another target for cybercriminals, as these servers house large data stores, networks, and web services for both enterprises and government entities,” said Omri Weinberg, Co-founder and CRO at DoControl. “In the end, both operating systems are targets due to unpatched vulnerabilities in their code base, which can be taken advantage of by cyber attackers. Linux offers a different way into corporations, as vulnerabilities in the operating system open up the ability to infiltrate files and services, and changes the ransomware game by escalating access privileges, or by injecting executables with malignancies that carry out a command-and-control attack to encrypt an entire environment.”
Akira uses double extortion tactics by exfiltrating data before encrypting it and directing victims to a Tor-based site after leaving a ransom note named “fn.txt” or “akiranew.txt” in the root and each user’s home directories.
The ransomware gang typically demands higher ransoms, between $200,000 and $4 million, to prevent the stolen data from being published online.
“To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies,” the joint advisory stated.
FBI, CISA, EC3, and NCSC-NL list Akira’s IOCs and TTPs and recommend mitigations
The joint cybersecurity advisory listed Akira’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) and advised network defenders to apply the recommended security measures and mitigations to thwart Akira’s extortion attempts.
The agencies explained that the Akira ransomware group gains initial access by exploiting unsecured virtual private network (VPN) services without multifactor authentication (usually after exploiting Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269), exposed Remote Desktop Protocol (RDP), spear phishing, and compromised valid credentials.
Upon gaining access, the ransomware gang creates domain accounts, usually named itadm, to establish persistence. They usually disable security software, sometimes using the Zemana AntiMalware driver, to avoid detection.
Akira ransomware threat actors employ the Kaberoasting tactic to extract passwords from the Local Security Authority Subsystem Service (LSASS) and Mimikatz and LaZagne for privilege escalation. They also use widely-available tools such as FileZilla, WinRar, WinSCP, and Rclone to exfiltrate data to their command-and-control (C2) infrastructure.
Notable Akira ransomware breaches include the Nissan Oceania leak, which impacted over 100,000 individuals, the Stanford University data breach, which leaked 430GB of data, impacting 27,000 people, and the City of Nassau Bay in Texas hack.
The four members of the Fourteen Eyes intelligence alliance advised network defenders to apply the recommendations, which included patching security vulnerabilities, enabling multi-factor authentication, and using strong passwords to protect accounts and prevent Akira ransomware attacks.
Other recommendations included implementing network segmentation, filtering network traffic to detect suspicious communication between Akira ransomware and its C2 infrastructure, and keeping multiple data backups in case the security measures fail.
“The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents,” the security advisory stated.
However, Tiquet warned that the cybersecurity battle was far from over, as threat actors continue to devise sophisticated tactics to bypass every imaginable security measure.
“We’re in an arms race against cybercriminals. With every defense that is put into place, there is a bad actor working to discover and exploit any weakness through different attack vectors and more sophisticated tools,” noted Tiquet.