Akira attacks Vincentz Network

Incident Date:

January 11, 2024

World map

Overview

Title

Akira attacks Vincentz Network

Victim

Vincentz Network

Attacker

Akira

Location

Hannover, Germany

Germany, Germany

First Reported

January 11, 2024

Akira Ransomware Group's Attack on Vincentz Network

Akira ransomware group claimed an attack on Vincentz Network. The group obtained over 70GB of corporate data, including detailed financial and operational documents, databases with HR information, and accounting files. Vincentz Network is in partnership with different industries in the national and international markets. These include geriatric care, the paint industry, the automotive industry, furniture production, painting technology, technical dealers, and ambitious woodworkers.

Akira's Emergence and Tactics

Akira first emerged in March 2023, and the group may have links to the notorious Conti gang, although this is difficult to ascertain given the Conti code was leaked in 2022. Interestingly, Akira’s extortion platform includes a chat feature for victims to negotiate directly with the attackers, and it has been observed that Akira will inform victims who have paid a ransom of the infection vectors they leveraged to carry out the attack. This is not ransomware “standard procedure”, as many ransomware operators have engaged in multiple attacks on the same victim. A decrypter was released that may have worked on earlier variants or obscure samples of Akira, but its utility has proven to be null for recovery.

Attack Volume and Ransom Demands

Akira maintains a modest but growing attack volume, putting them in about the middle of the pack when compared to other ransomware operators. Ransom demands appear to range between $200,000 to more than $4 million.

Technical Capabilities

Akira operates a RaaS written in C++ that is capable of targeting both Windows and Linux systems, typically by exploiting credentials for VPNs. Akira modules will delete Windows Shadow Volume Copies leveraging PowerShell and is designed to encrypt a wide range of file types while avoiding Windows system files with .exe, .lnk, .dll, .msi, and .sys extensions. Akira also abuses legitimate LOLBins/COTS tools like PCHunter64, making detection more difficult.

Exploiting Vulnerabilities

In July, a Linux variant for Akira was detected in the wild, and the group was also observed remotely exploiting a zero-day in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software (CVE-2023-20269) in brute-force attacks since at least August. Akira has also been observed exploiting VMware ESXi vulnerabilities for lateral movement. The group has attacked dozens of organizations across multiple industry verticals including education, finance, and manufacturing.

Double Extortion Tactics

Akira operations include data exfiltration for double extortion with the threat to expose or sell the data should the victim fail to come to terms with the attackers and is assessed to have leaked gigabytes of stolen data from victims.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.