Akira Ransomware Attacks Escalate in Finland: NCSC-FI Reports

January 13, 2024

The National Cybersecurity Center of Finland (NCSC-FI) has observed a significant increase in Akira ransomware attacks against Finnish organizations. These attacks, first reported in June 2023, escalated in December, with the majority caused by the Akira malware family. The attackers are systematically wiping Network-Attached Storage (NAS) and backup devices, leading to extensive data loss.

The NCSC-FI alert stated, “In all cases, careful efforts have been made to destroy the backups, and the attacker will find it difficult to do this. NAS servers that are often used for backups on the network have been hacked and wiped, as have automatic tape backup devices, and in almost every case we know of, all backups have been lost.”

The late 2023 attacks exploited poorly secured VPN gateways on Cisco ASA or FTD devices. The threat actors took advantage of the vulnerability CVE-2023-20269 in Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). This vulnerability allows an unauthenticated, remote attacker to conduct a brute force attack to identify valid username and password combinations or establish an unauthorized clientless SSL VPN session.

In September 2023, Cisco acknowledged that this zero-day vulnerability was being exploited by ransomware groups, including the Akira ransomware gang. By the end of August 2023, Cisco was aware of the Akira ransomware attacks targeting Cisco ASA VPNs that lacked multi-factor authentication. Cisco, in collaboration with Rapid7, investigated this hacking campaign. Rapid7 researchers noted that the threat activity targeting Cisco ASA SSL VPN appliances could be traced back to at least March 2023.

Finnish researchers emphasized that multi-step authentication cannot be bypassed by the attack. They also suggested that organizations can protect against the destruction of backups by taking offline backups. The Akira ransomware has been active since March 2023, and the threat actors behind the malware claim to have already hacked multiple organizations across various sectors, including education, finance, and real estate.

Like other ransomware groups, the Akira gang has developed a Linux encryptor to target VMware ESXi servers. The NCSC-FI alert concluded, “For the most important backups, it would be advisable to follow the 3-2-1 rule. That is, keep at least three backups in two different locations and keep one of these copies completely off the network.”

Related News

• Cisco Addresses Critical Security Flaw in Emergency Responder
• Ransomware Gangs Exploit Cisco VPN Zero-Day Vulnerability
• Cisco Addresses Zero-Day Flaw CVE-2023-20269 in VPN Products Amidst Akira Ransomware Threats

Latest News

• Phemedrone Malware Campaign Exploits Windows SmartScreen Bypass Vulnerability
• Over 7,100 WordPress Sites Compromised by Balada Injector Malware Exploiting Plugin Vulnerability
• GitLab Issues Urgent Security Updates to Address Critical Vulnerabilities
• Juniper Networks Addresses Critical RCE Vulnerability in Firewalls and Switches
• Critical Vulnerability in Apache OFBiz: PoC Exploit Code Developed