Priya PatelTLDR:
• Akira ransomware gang extorted $42 million from 250+ victims
• Used sophisticated hybrid encryption techniques and targeted vulnerable Cisco VPNs
The Akira ransomware gang has reportedly made $42 million by targeting over 250 victims, according to a security advisory released by CISA. The gang used sophisticated hybrid encryption techniques and focused on vulnerable Cisco VPNs in their attacks. CISA, along with other agencies, published the advisory to share known indicators of compromise and tactics used by the Akira gang. The group has impacted businesses and critical infrastructure entities worldwide, with a special focus on North America, Europe, and Australia. Akira’s methods of initial access included exploiting VPNs without multifactor authentication, using known Cisco vulnerabilities, and other techniques like spear phishing and abusing valid credentials.
Once inside a system, Akira actors would abuse domain controllers to establish persistence, using techniques like Kerberoasting and credential scraping for privilege escalation. The gang utilizes a sophisticated hybrid encryption scheme which combines a ChaCha20 stream cipher with an RSA public-key cryptosystem, along with deploying two ransomware variants on different system architectures during attacks. The advisory also includes a list of tools used by Akira, as well as indicators of compromise and Mitre ATT&CK tactics and techniques. Mitigations recommended by CISA include implementing a recovery plan, requiring multifactor authentication, staying updated on patches, and segmenting networks to prevent further attacks.
The joint advisory issued by CISA, FBI, Europol, and the Netherlands’ National Cyber Security Centre serves as a warning to organizations to enhance their security measures and safeguard against ransomware attacks like those carried out by the Akira gang.
