Akira Ransomware: Accelerated Data Exfiltration in Roughly Two Hours

July 11, 2024

The Akira ransomware group, suspected to be Storm-1567 (also known as Punk Spider and Gold Sahara), has demonstrated the ability to exfiltrate data from victims in just over two hours. This swift exfiltration marks a notable reduction in the time usually taken by cybercriminals to transition from initial access to data theft, according to a report from the BlackBerry Threat Research and Intelligence Team. The report detailed an attack on a Latin American airline in June, where the cybercriminals used the Secure Shell (SSH) protocol to gain initial access through an unpatched Veeam backup server. They then swiftly stole information before deploying the Akira ransomware the following day.

Storm-1567, a frequent user of the Akira ransomware-as-a-service (RaaS) platform and the group that maintains the Akira leak site, is the likely perpetrator, the report suggested. This group is known for employing double-extortion tactics and has attacked over 250 organizations across various industries worldwide since its emergence in March 2023. The group primarily targets Windows systems but has also developed Linux/VMware ESXi variants.

The report revealed that the cybercriminals gained access to the Veeam backup server, likely via CVE-2023-27532, and immediately started to siphon off data. The initial entry point contained sensitive data, eliminating the need for lateral movement. Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry, stated, 'Veeam servers are overwhelmingly popular targets due to their tendency to store credentials [and other data].' He further noted that 93% of cyberattacks target backup storage, emphasizing their vulnerability.

During the attack, Storm-1567 accessed backup data within the Veeam backup folder, including documents, images, and spreadsheets, banking on the likelihood that this data would contain confidential and valuable information that could be ransomed. The group used a number of legitimate tools and utilities to covertly carry out reconnaissance, establish persistence, and transport the data out of the environment.

The entire operation took a mere 133 minutes, after which the attackers paused for the day. They returned the next day to infiltrate deeper into the network and deploy the actual ransomware. The report also noted that the ransomware deployment took less than eight hours.

The rapid data-exfiltration effort should serve as a wake-up call for organizations, as it underscores the ongoing reduction of the time-to-exfiltration event horizon. According to the 2024 Unit 42 Incident Response report from Palo Alto Networks, the median time from compromise to data exfiltration was nine days in 2021, which dropped to two days in 2023, and in 45% of the cases in 2024, it was just under 24 hours.

To counter such threats, Valanzuela suggested implementing a robust security architecture, incorporating a zero-trust framework, and understanding potential adversaries. He emphasized the importance of meticulous perimeter patching in recognizing its vulnerability as a primary target for attackers. He also highlighted the importance of basic hygiene steps in light of the speed at which data thieves are now moving.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.