Akira Ransomware Gang Amasses $42 Million; Expands Target to Linux Servers

April 19, 2024

The Akira ransomware group has reportedly extorted an estimated $42 million by infiltrating the networks of over 250 victims as of January 1, 2024. The group has impacted a diverse array of businesses and critical infrastructure entities across North America, Europe, and Australia. "Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia," cybersecurity agencies from the Netherlands and the U.S., along with Europol's European Cybercrime Centre (EC3), said in a joint alert.

In April 2023, the group broadened its focus from Windows systems to Linux, specifically targeting VMware ESXi virtual machines. The group initially used a C++ variant of the locker, before transitioning to a Rust-based code in August 2023. The group gains access to target networks through exploiting known vulnerabilities in Cisco appliances, such as CVE-2020-3259 and CVE-2023-20269. Other methods of intrusion include the use of Remote Desktop Protocol (RDP), spear-phishing, valid credentials, and VPN services lacking multi-factor authentication (MFA) protections.

The group is also known for setting up persistence on compromised systems by creating new domain accounts and evading detection by exploiting the Zemana AntiMalware driver to terminate antivirus-related processes. They rely on tools like Mimikatz and LaZagne for privilege escalation, and use Windows RDP for lateral movement within the victim's network. Data exfiltration is executed through FileZilla, WinRAR, WinSCP, and RClone.

"Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA," Trend Micro reported in an October 2023 analysis. The ransomware binary also inhibits system recovery by deleting shadow copies from the affected system. Blockchain and source code data suggest a likely affiliation between the Akira ransomware group and the now-defunct Conti ransomware gang.

Despite the release of a decryptor for Akira by Avast in July, it's likely that the group has since addressed the identified flaws. The group's shift in focus to Linux enterprise environments follows a similar trend observed in other established ransomware families such as LockBit, Cl0p, Royal, Monti, and RTM Locker.

The development also follows the Agenda ransomware group's use of an updated Rust variant to infect VMWare vCenter and ESXi servers through Remote Monitoring and Management (RMM) tools and Cobalt Strike. This indicates that ransomware operators are expanding their target range.

As new ransomware actors continue to emerge, it's also evident that inexpensive ransomware available on the cybercrime underground is being used in real-world attacks, enabling individual threat actors to generate significant profit without the need for a well-organized group. A majority of these varieties are available for a one-time price as low as $20, while others like HardShield and RansomTuga are offered free of charge.

"They can target small companies and individuals, who are unlikely to have the resources to defend themselves or respond effectively to incidents, without giving anyone else a cut," Sophos said, describing it as a "relatively new phenomenon" that further lowers the cost of entry.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.