Arika ransomware, which initially targeted Windows systems, has evolved significantly since its emergence in March. It has now expanded its scope to include Linux servers, employing a diverse set of tactics, techniques, and procedures (TTPs).

A comprehensive report by LogPoint delves into the highly sophisticated nature of Akira ransomware. This malware encrypts victim files, erases shadow copies, and demands a ransom for data recovery. The attack chain actively exploits the CVE-2023-20269 vulnerability, focusing on Cisco ASA VPNs lacking multifactor authentication as an entry point.

As of early September, the group had successfully targeted 110 victims, with a particular emphasis on the US and the UK. A notable recent victim was the British quality-assurance company Intertek. The group also set its sights on manufacturing, professional services, and automotive organizations.

According to a recent report from GuidePoint Security's GRI, educational institutions have borne a disproportionate brunt of Akira's attacks, accounting for eight out of its 36 observed victims.

The ransomware campaign involves multiple strains of malware that carry out distinct steps, including shadow copy deletion, file search, enumeration, and encryption when executed.

Akira employs a double-extortion technique: it steals personal data, encrypts it, and then extorts money from the victims. If payment is refused, the group threatens to release the data on the Dark Web.

Upon gaining access, the group utilizes tools such as AnyDesk and RustDesk for remote desktop access, as well as WinRAR for encryption and archiving. Additionally, the advanced system information tool and task manager PC Hunter assist the group in lateral movement through compromised systems, alongside wmiexc.

The group can also disable real-time monitoring to avoid detection by Windows Defender, and shadow copies are eliminated through PowerShell. Ransom note files are deposited across the victim's system, containing payment instructions and decryption assistance.

Anish Bogati, a security research engineer at Logpoint, highlights that Akira's use of Windows internal binaries (also known as LOLBAS) is particularly concerning. These binaries typically go unnoticed by endpoint protection and are already present in the system, sparing adversaries the need to download them.

Bogati emphasizes that the ability to create a task configuration for encryption parameters without manual intervention shouldn't be underestimated.

Taking Countermeasures

Bogati underscores the need for organizations to implement MFA and restrict permissions to prevent brute-force attacks on credentials. Keeping software and systems up-to-date is crucial in staying ahead of adversaries exploiting newly discovered vulnerabilities.

The report also recommends auditing privileged accounts and providing regular security awareness training. Network segmentation is advised to isolate critical systems and sensitive data, reducing the risk of breaches and limiting lateral movement by attackers.

Bogati suggests organizations should consider blocking unauthorized tunneling and remote access tools, like Cloudflare ZeroTrust, ZeroTier, and TailScale, which are often employed by adversaries to gain covert access to compromised networks.

The Akira group, named after a 1988 Japanese anime cult classic, emerged as a significant cyber threat force in April of this year, primarily focusing on Windows systems.

The transition by Akira into Linux enterprise environments mirrors similar moves by more established ransomware groups like Cl0p, Royal, and IceFire. Akira represents a new wave of ransomware actors reshaping the threat landscape, marked by the emergence of smaller groups and new tactics. Established gangs like LockBit are witnessing fewer victims.

Among the newer ransomware groups are 8Base, Malas, Rancoz, and BlackSuit, each with its distinct characteristics and targets.

Bogati warns that, judging by their victim count, Akira is poised to become one of the most active threat actors. They are developing multiple variants of their malware with various capabilities and are poised to exploit unpatched systems at every opportunity.