Akira Ransomware Thrives in Post-BlackCat and LockBit Era

Actively monitoring the capabilities of the Akira ransomware gang is a critical priority as the group has become a premier ransomware threat following the disruptions of major ransomware gangs like ALPHV/BlackCat and LockBit. Researchers from IBM X-Force Incident Response and Threat Intelligence team, including Jaime Andres and Bello Vieda, have detailed the capabilities of these ransomware operators. Their report highlights that Akira's encryptors are available for both Windows and Linux, showing the group's potential to target a wide range of industries and geographies. "Unlike some ransomware families with worm behavior modules for propagation or replication without human interaction, Akira ransomware requires an active procedure to spread the infection within networks," researchers note. The group uses a double-extortion scheme combining data exfiltration and enterprise-wide encryption, demanding ransoms to prevent the release of stolen files and to provide decryption keys.

Akira's operators exploit vulnerabilities effectively, notably the exploitation of the Cisco Adaptive Security Appliance (ASA) vulnerability CVE-2023-20269 being a prime example. This vulnerability in Cisco's VPN products has allowed them unauthorized access to multiple networks. Following this access, they use a variety of tools to maintain presence and maneuver within compromised networks. Tools such as Advanced IP Scanner, SoftPerfect Network Scanner, RDP brute-force utilities (like Hydra), AnyDesk, Rclone, and FileZilla are part of their arsenal, aiding in discovery, credential access, lateral movement, command and control, and data exfiltration.

Their operations also involve psychological tactics, with data leak sites on the dark web used for negotiation and intimidation. The Akira group prepares samples of stolen data to prove the authenticity of their theft before encryption, increasing pressure on their victims. Two .onion sites identified by IBM are used for their operations; the first site conveys information about the ransomware gang and its victims, while the second is used specifically for negotiations and requires a password to access. Victims visiting the second site are shown proof of the operator's attack on their organization/business, increasing pressure.

To defend against Akira, organizations are encouraged to enhance their vulnerability management processes, especially around known exploited vulnerabilities like CVE-2023-20269. Regular patching, stringent password management, and multifactor authentication are crucial. Insights from IBM's X-Force and CISA in their April 2024 #StopRansomware advisory provide valuable intelligence for organizations to stay current with the tactics, techniques, and procedures (TTPs) utilized by the ransomware operators. The proficiency of Akira in the threat landscape is significant, with the talent pool likely to include affiliates displaced from the law enforcement takedowns. Notably, RedSense co-founder Yelisey Bohuslavskiy reported an influx of operators within the Akira ransomware gang, specifically following the LockBit takedown in February 2024.