On Thursday, federal cyber authorities released a joint advisory detailing the Akira ransomware group, which has quickly become a significant threat since its emergence in March 2023. The advisory outlines the group's methods, the tools they employ, and the vulnerabilities they exploit to gain initial access to systems.
Akira is characterized as a financially motivated group and has connections to other known threat organizations, such as Storm-1567, Howling Scorpius, and Punk Spider. There are also potential ties to the now-disbanded Conti ransomware group. The group has adopted a double-extortion model, which involves not only encrypting victims’ data but also stealing sensitive information to increase pressure on the organizations targeted.
According to the joint advisory released by the FBI and Cybersecurity and Infrastructure Security Agency (CISA), Akira has been linked to more than $244 million in ransom payments as of late September. The majority of their victims are small- and medium-sized businesses, significantly affecting industries like manufacturing, education, IT, healthcare, finance, and agriculture.
“For the FBI, it is within the top five variants that we investigate,” said Brett Leatherman, assistant director of the FBI Cyber Division, during a media briefing. “It’s consequential. This group is very consequential that they fall likely within our top five.”
Career Journey
Career Journey
Career Journey
The urgency of addressing ransomware threats is underscored by Leatherman, who noted that it remains the FBI’s top cybercriminal issue. “Ransomware is enormous in terms of the amount of losses, the number of active variants, and its disruptive effect,” he explained. The FBI’s ongoing investigations focus on over 130 different ransomware variants targeting U.S. businesses across nearly every critical infrastructure sector.
Supporting the advisory, Europol along with cyber authorities from Germany, France, and the Netherlands highlighted six specific vulnerabilities that Akira is known to exploit. These vulnerabilities target various systems including Cisco firewalls, Windows, VMware ESXi, and SonicWall firewalls.
“We know that they are actively looking at the vulnerabilities disclosed in [the joint advisory] in order to monetize their activity,” added Leatherman, emphasizing the proactive nature of the group.
Career Journey
Career Journey
Researchers have previously flagged Akira for exploiting vulnerabilities like CVE-2024-40766, allegedly impacting about 40 victims between mid-July and early August. This wave of attacks showcased Akira's capacity to effectively capitalize on known flaws.
Nick Andersen, executive assistant director of cybersecurity at CISA, emphasized that the advisory was not a reaction to a specific attack but rather a reflection of the evolving landscape of ransomware threats. “It’s more a reflection of the reality that our nation’s ransomware adversaries are continuously evolving their tactics and therefore it’s critical that we improve our defenses as well,” he stated.
Akira has shown the ability to operate swiftly, often exfiltrating data in just over two hours once they gain initial access, as noted in the advisory. This alarming speed is further reinforced by the various tactics utilized by the group.
The FBI and cybersecurity experts have observed that Akira often breaks into systems through stolen credentials, exploits system vulnerabilities, and conducts brute-force attacks. The group has used remote access tools like AnyDesk and LogMeIn to maintain persistence within compromised networks, and they’ve created new accounts to solidify their foothold while also employing privilege escalation techniques.
Impact and Legacy
Leatherman pointed out that some indicators of compromise related to Akira have already been detected as recently as this month. “Actors are incredibly adaptable and are emphasizing operational security in their actions. Their attacks are increasingly becoming more sophisticated, complex and layered,” he remarked. The potential financial impact on victims is significant, with remediation costs frequently exceeding the initial ransom demands.
As organizations navigate the evolving landscape of cyber threats, the Akira ransomware group serves as a crucial reminder of the need for heightened vigilance and robust cybersecurity measures. The growing sophistication and prevalence of such ransomware variants underscore the urgency in bolstering defenses against one of the most concerning cyber threats of our time.