The cybercriminals behind the Akira ransomware group they extorted approximately $42 million in illicit proceeds after breaching the networks of more than 250 victims as of January 1, 2024.
What the authors behind the Akira ransomware have been up to
“Since March 2023, Akira ransomware has affected a wide range of businesses and critical infrastructure entities across North America, Europe and Australia“, they have declared jointly the cybersecurity agencies of the Netherlands and the United States, together with Europol's European Cyber Crime Center (EC3), in a joint notice.
“In April 2023, after an initial focus on Windows systems, Akira cybercriminals have deployed a Linux variant targeting VMware ESXi virtual machines.”
The double extortion group was observed use a C++ variant of the locker in the early stages, before moving to Rust-based code starting August 2023; it is important to note who the perpetrator of this cybercrime is completely different from the Akira ransomware family active in 2017.
Initial access to target networks is facilitated exploiting known flaws in Cisco equipment (for example, CVE-2020-3259 And CVE-2023-20269).
The objectives of the gang behind the Akira ransomware
Alternative infection vectors involve the use of the Remote Desktop Protocol (RDP), targeted phishing, valid credentials, and virtual private network (VPN) services that lack multi-factor authentication (MFA) protections.
The authors behind the Akira ransomware they are also known to exploit various methods to establish persistence by creating a new domain account on the compromised systemas well as evading detection by abusing the Zemana AntiMalware driver to terminate antivirus-related processes via what is called a Bring Your Own Vulnerable Driver attack (BYOVD).
To facilitate privilege escalation (i.e. administrator privileges), the adversary relies on credential scraping tools such as Mimikatz and LaZagne, while Windows RDP is used to move laterally within the victim's network; data exfiltration occurs via FileZilla, WinRAR, WinSCP and RClone.
“The Akira ransomware encrypts targeted systems using a hybrid encryption algorithm which combines Chacha20 and RSA“, has declared Trend Micro in a ransomware analysis published in October 2023.
“Furthermore, the Akira ransomware binary, like most modern ransomware binaries, has a feature that allows it to hinder system recovery deleting shadow copies from the affected system.”
Blockchain data and source code they suggest that the group behind the Akira ransomware is likely affiliated with the now-defunct ransomware gang Accounts; a decryptor for Akira was released from Avast last July, but it is very likely that the gaps have been filled since then.
Akira's mutation to target Linux enterprise environments also follows similar moves of other established ransomware families such as LockBit, Cl0p, Royal, Monti and RTM Locker.
The difficulties of LockBit's return
The revelation comes as Trend Micro revealed that the extensive law enforcement operation against the prolific gang LockBit last February had a significant operational impact and reputational on the group's ability to recover, prompting it to publish old and fake victims on its new data leak site.
“LockBit was one of the RaaS strains more prolific and widely used, with potentially hundreds of affiliates, including many associated with other prominent strains“, has observed Chainalysis in February.
The connection with Ukraine
The blockchain analytics firm said it had discovered cryptocurrency traces linking a LockBit administrator to a Sevastopol-based journalist known as Colonel Cassad, which has a history of soliciting donations for the Russian military group's operations in the sanctioned jurisdictions of Donetsk and Lugansk following the start of the Russian-Ukrainian war in 2022.
Importantly, Cisco Talos, in January 2022, has connected Colonel Cassad (also known as Boris Rozhin) to an anti-Ukraine disinformation campaign orchestrated by the Russian-sent group known as APT28.
“After the operation, LockBitSupp [presunto leader di LockBit] appears to be trying to increase the apparent number of victims by focusing attention on victims from countries whose law enforcement agencies participated in the disruption“, has stated Trend Micro in a recent in-depth analysis, adding: “This is likely an attempt to reinforce the narrative that it will come back stronger and target those responsible for its disruption.“
In an interview with Recorded Future News last month, LockBitSupp acknowledged the short-term decline in profitsbut vowed to improve their security measures and “work while my heart beats.”
“Reputation and trust are key to attracting affiliates, and when these are lost, it is harder to keep people coming back. L'Operation Cronos managed to hit one of the most important elements of its business: its brand“Trend Micro said.
Ageonda Ransomware returns with an updated version
The development also follows the ransomware group's use of an updated Rust variant Agenda (also known as Qilin and Water Galura) to infect VMWare vCenter and ESXi servers via remote monitoring and management tools (RMM) and Cobalt Strike.
“The ability of the Agenda ransomware to spread to virtual machine infrastructure shows that its operators are also expanding to new targets and systems“, has stated the cybersecurity company.
Even while a new series of ransomware dispensers continues to energize the threat landscape, it is becoming increasingly clear that “rudimentary, cheap ransomware” sold in the cybercrime underworld is used in various attacksallowing individual lower-level threats to generate significant profits without having to be part of a well-organized group.
It is interesting to note that most of these variants are available for a single price starting at just $20 for a single buildwhile some others like HardShield and RansomTuga are offered at no additional cost.
“Far from the complex infrastructure of modern ransomware, Junk-gun ransomware lets criminals get in on the action on the cheapeasily and independently“Sophos said, describing it as a “relatively new phenomenon” which further lowers the cost of entry.
“We can target small businesses and individuals, who likely do not have the resources to defend themselves or respond effectively to incidentswithout giving anyone else one [altra] slice.”
#Akira #gang #extorts #million #ransomware
