- Table of contents
Akira Ransomware: What SOC Teams Need to Know
One of the ransomware rising stars (or should we say villians) of 2023 has been Akira. They show no sign of slowing down in 2024, see below. Akira was first discovered in March 2023 and since then they have already compromised at least 63 victims. Interestingly, Akira is offered as a ransomware-as-a-service and preliminary research suggests a connection between the Akira group and threat actors associated with the notorious ransomware operation Conti.
This ransomware, identified as having an impact on both Windows and Linux systems, operates by exfiltrating and encrypting data, coercing victims into paying a twofold ransom to regain access and restore their files.
The collective responsible for this ransomware has already directed its attention towards numerous victims, with a primary focus on those situated in the U.S. Furthermore, the group operates an active leak site for the Akira ransomware, where they publish information, including their latest data breaches.
Akira Victimology
The ransomware has steadily built up a list of victims, targeting corporate networks in various domains including education, finance, real estate, manufacturing, and consulting.
The group has taken credit for several high-profile incidents — including attacks on the government of Nassau Bay in Texas, Bluefield University, a state-owned bank in South Africa and major foreign exchange broker London Capital Group.
Most recent attacks include Gruskin Group and Healix in the beginning of October and QuadraNet Enterprises, Southland Integrated Services, Visionary Integration Professionals and Freeman Johnson towards the end of October.
In January Akira claimed a significant victim in Sweden, Tietoevry, specialists in cloud, data, and software. They serve 1000s of enterprise and public-sector customers in more than 90 countries. One of Tietoevry’s datacenters was hit impacting a limited group of customers, despite being isolated immediately.
“The malicious attack based on Akira ransomware on one of our datacenters in Sweden took place during the night of January 19-20. Tietoevry takes the situation very seriously and has an extensive team of experts and technicians working around the clock to minimize the impact and restore services.” said Tietoevry.
On October 27th Akira claimed to have stolen 430GB of data from the Stanford University systems. Stanford university responded with this response: “The security and integrity of our information systems are top priorities, and we work continually to safeguard our network, we are continuing to investigate a cybersecurity incident at the Stanford University Department of Public Safety (SUDPS) to determine the extent of what may have been impacted.”
“Based on our investigation to date, there is no indication that the incident affected any other part of the university, nor did it impact police response to emergencies. The impacted SUDPS system has been secured.
“Our privacy and information security teams have been giving this matter their concerted attention, in coordination with outside specialists. The investigation is ongoing and once it is completed, we will act accordingly and be able to share more information with the community.”
The group continue attack different organizations worldwide, from different sectors, but the majority of victims as of now have been in the USA, followed by the UK and Australia.
Akira Malware, Toolset & TTPs
In almost all instances of intrusion, the malicious actors capitalized on compromised credentials to gain their initial foothold within the victim’s environment. Particularly noteworthy is the fact that most of the targeted organizations had neglected to implement multi-factor authentication (MFA) for their VPNs.
While the exact origin of these compromised credentials remains uncertain, there’s a possibility that the threat actors procured access or credentials from the dark web.
Code Similarities and Overlap with Conti
The practice of identifying code overlap among distinct ransomware variations often enables analysts to trace activities back to a specific group, given that ransomware source code is closely guarded by threat actors. However, the leaking of Conti’s source code has led to multiple threat actors utilizing this code to construct or adapt their own, making it considerably more challenging to attribute actions back to the original Conti threat actors.
Although there are differences between the two ransomware variants, Akira ransomware does exhibit certain resemblances to Conti ransomware. Akira shares similarities in its approach to disregarding the same file types and directories as Conti, and it also incorporates comparable functions. Additionally, Akira employs the ChaCha algorithm for file encryption, which is implemented in a manner similar to that of Conti ransomware
Akira Origin and Affiliates
In a minimum of three distinct instances, the actors behind the Akira ransomware directed complete ransom payments to addresses associated with the Conti group; the cumulative value of these transactions exceeded $600,000 USD. Subsequently, we noted that all Conti-associated addresses participated in transactions with a set of common intermediary wallets. These intermediary wallets were employed to either withdraw funds from the ransom payments or facilitate fund transfers within the group.
Of particular interest, two of the Conti-linked wallets engaged in transactions with wallets linked to Conti’s leadership team. Notably, one of these wallets hosted addresses designated for collecting ransom payments spanning multiple ransomware families.
Community
Akira groups uses their official DLS (data leak site) to post data on their victims and updates regarding the group’s activity.
Although Akira could be considered in its infancy, the indications of its links to Conti and the increasing volume of attacks mean it is one to watch.
To learn more about how our threat intelligence research helps protect businesses against ransomware and other risks, request a demo.