Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Akira Ransomware. Show all posts
USA
Akira Ransomware Canada cyber attack Cyber Attacks Ransomware ransomware attacks USA

Akira Ransomware Unleashes Cyber Storm: Targets North American Companies

In the continually changing realm of cyber threats, organizations find themselves urgently needing to strengthen their cybersecurity measures to combat the increasing complexity of ransomware attacks. The focus is on Akira, a recently discovered ransomware family, highlighting a group of cyber adversaries armed with advanced tactics and led by highly skilled individuals. 

In a recent analysis of blockchain and source code data, the Akira ransomware has surged to prominence, rapidly establishing itself as one of the fastest-growing threats in the cyber landscape. This surge is attributed to its adept utilization of double extortion tactics, adoption of a ransomware-as-a-service (RaaS) distribution model, and the implementation of unique payment options. 

Who are the Targets? 

The Akira ransomware made its debut in March 2023, and its sights are set on companies in the United States and Canada. But what is really catching attention is its unique Tor leak site, which, as per Sophos' report, brings back vibes of "1980s green-screen consoles." Users need to type specific commands to navigate through this throwback-style interface. 

What is even more intriguing is that, despite sharing the same .akira file extension for encrypted files, the new Akira is nothing like its 2017 counterpart when it comes to the code under the hood. This twist highlights the ever-evolving nature of cyber threats, where old names come back with a new style and a fresh set of tricks. 

The Akira encryptor 

The Akira ransomware was found by MalwareHunterTeam, and they shared a part of it with BleepingComputer. When it starts working, Akira does something serious – it deletes Windows Shadow Volume Copies on the device. It uses a special command to do this: 

powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" 
 
Furthermore, linkages between the Akira ransomware group and the now-defunct Conti ransomware gang have come to light, indicating a potential affiliation. Conti, renowned as one of the most notorious ransomware families in recent history, is believed to have evolved from the highly targeted Ryuk ransomware, marking a lineage of prolific cyber threats. The intricate connections between these ransomware entities underscore the evolving nature of cyber threats and the persistence of criminal organizations in adapting and expanding their malicious operations.
Read more »
US Energy Service
Akira Ransomware BHI Energy Data Breach Personal Data Breach Ransomware attack US Energy Service

US Energy Service Shared Details on How Akira Ransomware Hacked its Network


US energy service firm BHI Energy recently shared how it compromised its network and data in a ransomware campaign conducted by the Akira ransomware.  

BHI Energy, a division of Westinghouse Electric Company, provides specialized engineering services and workforce solutions to support government and private-run power generation facilities, including nuclear, wind, solar, and fossil fuel units and transmission and distribution lines for energy. 

The company has sent a data breach notification to affected individuals, where it has provided details on how the ransomware gang (Akira) breached its network on May 30, 2023.  

The Akira threat actor initiated the attack by utilizing the compromised VPN credentials of a third-party contractor to gain entry to BGI Energy's internal network. 

"Using that third-party contractor's account, the TA (threat actor) reached the internal BHI network through a VPN connection[…]In the week following initial access, the TA used the same compromised account to perform reconnaissance of the internal network," the breach notification read.  

On June 16, 2023, the Akira operators checked the network again to see how much data had been taken. The threat actors took 690 GB of data, including the Windows Active Directory database of BHI, in 767k files between June 20 and June 29.

After obtaining the data from BHI's network, the threat actors deployed the Akira ransomware on every targeted system to encrypt files on June 29, 2023. At this point, the IT staff at BHI were aware that the business had been compromised. 

The data obtained by the ransomware group involved the personal information of the victim. In an investigation held on September 1, 2023, it was revealed that the stolen data included: 

  • Full name 
  • Date of birth 
  • Social Security Number (SSN) 
  • Health information
The firm confirms that in order to assist them in recovering the affected systems, they got in touch with external experts and informed law enforcement about the breach. On July 7, 2023, the threat actor's access to BHI's network was eliminated. 

The firm claims that it was able to restore its systems without having to pay a ransom because it was able to retrieve data from a cloud backup solution that was unaffected by the ransomware attack.

Moreover, by implementing multi-factor authentication for VPN access, resetting all passwords globally, expanding the deployment of EDR and AV technologies to cover every area of its environment, and decommissioning legacy systems, BHI strengthened its security protocols even further.  

Read more »
Vulnerabilities and Exploits
Akira Ransomware Cisco COTS Cyberattacks CyberCrime Data Loss LSASS Malicious Attacks MFA Ransomware VPN Vulnerabilities and Exploits

Akira Ransomware Unleashes a New Wave of Attacks via Compromised Cisco VPNs

 


The Cisco Network Security Division is aware of reports suggesting that malicious individuals are infiltrating organizations through Cisco VPNs that are not configured for multi-factor authentication with the Akira ransomware threat. In some instances, threat actors are targeting organizations that do not configure multi-factor authentication for their VPN users. Some instances have been observed where threat actors are targeting organizations that are not doing so. 

It has been verified by several cybersecurity firms that Cisco VPN products are being targeted with ransomware, and there are reports that the perpetrators are members of a relatively new gang known as Akira who have perpetrated the attack. 

Typically, this ransomware campaign is targeted at corporate entities to gain sensitive information about them and make money through charging ransoms as a means of obtaining this sensitive information. All members of Akira have to do to access their accounts is to log in to the VPN service by using their Akira account details. 

As part of Cisco's investigation of similar attack tactics, the company has actively collaborated with Rapid7. Thanks to Rapid7 for providing Cisco with a valuable collaboration over the last few months. To provide secure, encrypted data transmission between users and corporate networks, Cisco VPN solutions are widely adopted across a wide range of industries, primarily by employees who work remotely and rely on these solutions to do so. 

The Akira Ransomware Attack 


As of March 2023, there have been multiple instances of the Akira ransomware. To attack VMware ESXi servers, the group developed an encryptor for Linux that, like many other ransomware gangs, targets this server type.

If the ransom demands are not met, the threat actors responsible for the Akira ransomware will employ a variety of extortion strategies and they will run a website using the Tor network (with an IP address ending in .onion) that lists victims and the information they have stolen from them. To begin negotiations, victims are instructed to contact the attackers via a TOR-based website, through a unique identifier provided in the ransom message, that can be used to contact them. 

It was first discovered by Sophos researchers in May that the ransomware gang was abusing VPN accounts to breach a network with the use of "VPN access using Single Factor authentication." A person known as 'Aura', who responded to multiple Akira attacks as part of the Akira operation, shared on Twitter further information about how he and other incident responders dealt with incidents that were carried out using Cisco VPN accounts that were not protected by multi-factor authentication. 

Akira is a malicious program that targets not only corporations but also educational institutions, real estate, healthcare, manufacturing, as well as the financial sector. As part of its encryption capabilities, the Linux versions of Akira ransomware make use of the Crypto++ library to enable the encryption process on the target device. Akira offers only a limited number of commands, but there are no options to shut down VMs before encrypting them using Akira. 

With the -n parameter of the command, there is still the possibility of the attacker modifying the encryption speed and the chance that the victim's data can be recovered. Consequently, if the encryption speed is high, there is a slim chance that the victim who is hiding the data will be able to recover it with the help of a decryption tool. 

The first indication of Akira's activities was picked up by a cybersecurity firm based in the US in March 2023, called Arctic Wolf. Their research shows that small and medium-sized businesses worldwide have been the main target of attackers and that they have paid particular attention to the US and Canada in particular. Akira, as well as Conti's operators, have also been linked between the researchers. 

There was a recent report from the SentinelOne WatchTower, shared privately with BleepingComputer, that looked at the same attack method and speculated that Akira may have exploited a newly discovered vulnerability in Cisco VPN software that may be able to bypass authentication in the absence of the multi-factor authentication mechanism. 

In leaked data posted on the Akira group's extortion page, SentinelOne found evidence that the ransomware group used Cisco VPN gateways. At least eight instances were observed that displayed Cisco VPN-related characteristics, which shows that the ransomware gang is continuing to use Cisco VPN gateways as part of their ongoing extortion scheme. 

Implementing VPNs Without MFA


As a general rule, when an attacker tries to target VPNs or any other type of network services or applications, the first stage of their attack is to exploit an exposed service or application. In many cases, attackers focus on the fact that there is no multi-factor authentication (MFA) or there is a known vulnerability in VPN software in the form of software that has multi-factor authentication. 

Once the attackers have gained access to a target network, they attempt to breach the network using LSASS dumps (Local Security Authority Subsystem Service) to obtain credentials that will enable them to move further within the network and raise privileges if necessary. 

There have also been reports that this group has been using other tools, such as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, or creating minidump files, to gather further intelligence about or pivot within the target network, as well as using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf tools (COTS). 

Moreover, SentinelOne researchers observed that Akira operators maintained access to compromised networks by using the legitimate open-source remote access tool RustDesk which works similarly to RustDesk. It has been announced that cybersecurity company Avast has released a free decryptor that can be used by victims of the Akira ransomware to restore their valuable data without having to pay a ransom.

It was decided by the threat actors to encrypt their encryptors by patching them. By doing so, they would prevent victims from using them to recover data that was encrypted by the newer version of the encryption. Business users prefer Cisco VPN products due to their reliability and ease of use. 

Data transmission between networks/users can be made more secure with this technique, which is relied upon by organizations. Those who work in a hybrid or remote environment are expected to comply with it as a matter of course. That is why there might be a desire on the part of threat actors to exploit the vulnerability. Data loss and computer extortion attempts from ransomware operators can be prevented by organizations remaining vigilant and ensuring foolproof digital security measures.
Read more »
Subscribe to: Posts (Atom)