Federal authorities are issuing a warning to the health sector regarding the emergence of Akira, a ransomware-as-a-service group. This group has been responsible for numerous attacks on predominantly small and midsized organizations across various industries over the past six months. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has identified that Akira targets organizations that have not implemented multifactor authentication on their virtual private networks. The group carries out double-extortion attacks, stealing data and then encrypting it with ransomware.
Akira gains access through compromised credentials and exploits vulnerabilities in virtual private networks, particularly where multifactor authentication is absent. The group also employs other attack methods such as phishing emails, malicious websites, drive-by download attacks, and Trojans.
Researchers have noticed similarities between Akira and the disbanded Conti ransomware group, including code overlap and the use of ChaCha 2008. Additionally, both groups avoid encrypting certain directories, such as winnt and Trend Micro. Akira has targeted various sectors, including healthcare, finance, real estate, and manufacturing. Prior to encrypting files, Akira steals the victim organization’s data and threatens to release it publicly unless a ransom is paid. The group offers victims a lower-cost option to not pay for a decryptor and to prevent the publication of sensitive information.
The malware used by Akira removes shadow volume copies and assigns the ‘.akira’ extension to encrypted files. The assailants also make efforts to move laterally and escalate their privileges by dumping LSASS credentials. Akira’s ransom demands range from $200,000 to $4 million.
In June, a security firm released a free decryptor for Akira ransomware, but it is unclear if this has deterred the group’s attacks. The group’s dark web site claims to have had 96 victims, according to threat intelligence firm Darkfeed.io. Security firm Rapid7 reported increased threat activity targeting Cisco ASA SSL VPN appliances by Akira and LockBit groups. Rapid7’s managed services teams responded to incidents resulting in ransomware deployment. Almost 40% of incidents responded to by Rapid7 in the first half of 2023 were caused by the lack of multifactor authentication on VPN or virtual desktop infrastructure.
Experts emphasize the importance of implementing multifactor authentication and other cybersecurity measures to reduce the risk of cyberattacks. Organizations are advised to update and patch systems regularly, implement account lockout policies, apply network segmentation, and have a robust recovery and incident response plan in place.
CyberSec84 | Cybersecurity news. 
Leave a comment