Full Report
Officials shared indicators of compromise observed as recently as this month to help organizations hunt for and defend against the ransomware group, which has pocketed $244 million as of late September. The post FBI calls Akira ‘top five’ ransomware variant out of 130 targeting US businesses appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Akira
## Attribution & Identity
**Identification:** Ransomware group tracked by the FBI and CISA. The FBI places Akira within its "top five" most investigated ransomware variants targeting US businesses.
**Known Aliases and Associated Groups:** Associated with threat groups including Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara. May have connections to the disbanded Conti ransomware group.
## Activity Summary
Akira initially appeared in March 2023. As of late September, the group has generated an estimated \$244 million in ransomware proceeds. The FBI is currently investigating over 130 ransomware variants, and Akira is noted as one of the top five most consequential they are investigating. Attacks are ongoing, with Indicators of Compromise (IOCs) shared as recently as this month (relative to the article date). The group operates with notable speed, exfiltrating data in as little as two hours post-initial access in observed incidents.
## Tactics, Techniques & Procedures
- **Initial Access:** Gaining entry via stolen credentials, brute-force attacks, password-spraying, and exploiting public-facing vulnerabilities.
- **Data Exfiltration:** Employs a double-extortion model, stealing data prior to encryption to amplify pressure on victims. Data exfiltration typically occurs rapidly after initial access.
- **Persistence & Control:** Abuses legitimate remote access tools (RATs) such as AnyDesk and LogMeIn to maintain persistence.
- **Privilege Escalation & Foothold:** Creates new user accounts to establish footholds and uses various tools to escalate privileges.
- **Exploitation of Vulnerabilities:** Actively scans for and exploits recently disclosed vulnerabilities to monetize access.
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the text.
## Targeting
- **Sectors:** Manufacturing, education, IT, health care, financial, and agriculture sectors. (Many victims listed as Small- and Medium-Sized Businesses - SMBs).
- **Geography:** Primarily targeting US businesses (as indicated by FBI focus). Joint advisory supported by Europol and cyber authorities in France, Germany, and the Netherlands suggests broader European targeting as well.
- **Victims:** Specific organizations were not named in the summary context.
## Tools & Infrastructure
- **Malware Families Used:** Akira ransomware variant.
- **Infrastructure (C2, domains, IPs - defang URLs):**
- **Exploited CVEs:** The group is known to attack systems vulnerable to defects affecting Cisco firewalls and VPNs, Windows, VMware ESXi, Veeam Backup and Replication, and SonicWall firewalls. Specific known exploited vulnerabilities include CVE-2024-40766.
- **Remote Access Tools:** AnyDesk and LogMeIn.
## Implications
Akira is considered a highly significant and consequential threat actor by US federal law enforcement, ranking among the top five ransomware groups actively investigated. Their adaptability, focus on operational security, and increasingly sophisticated attacks lead to high remediation costs, often significantly exceeding the initial ransom demand.
## Mitigations
- Organizations should prioritize hunting for IOCs shared by authorities this month.
- Defend against the specific vulnerabilities known to be actively exploited by Akira, particularly those affecting Cisco firewalls, VPNs, Windows, VMware ESXi, Veeam, and SonicWall appliances.
- Harden credentials management to mitigate attacks relying on stolen credentials, brute-force, and password spraying.
- Review and restrict the use or deployment of remote access tools like AnyDesk and LogMeIn where possible.
- Implement layered defenses, recognizing the group's attacks are becoming more complex.