Marigin AG Hit by Akira Ransomware Attack

Incident Date:

May 20, 2024

World map

Overview

Title

Marigin AG Hit by Akira Ransomware Attack

Victim

Marigin AG

Attacker

Akira

Location

Feusisberg, Switzerland

, Switzerland

First Reported

May 20, 2024

Marigin AG Hit by Akira Ransomware Attack

Company Profile: Marigin AG

Marigin AG, a prominent veterinary clinic headquartered in Feusisberg, Switzerland, offers a range of services for animals including dogs, cats, small animals, and exotics. Established in 2008, the clinic provides advanced medical and surgical treatments, boarding facilities, and specialized services such as MRI, CT, and X-ray scans. Known for its state-of-the-art facilities and 24/7 emergency services, Marigin AG has built a reputation for comprehensive pet care.

Overview of the Attack

In June 2024, Marigin AG became a victim of a ransomware attack by the notorious Akira group. The cybercriminals exfiltrated 60 GB of data, including sensitive client and employee information as well as operational details. The attack was significant given the clinic's extensive database and the critical nature of its services.

Details of the Akira Ransomware Group

The Akira ransomware group emerged in March 2023 and has quickly become a major threat, targeting over 250 organizations and amassing approximately $42 million in ransom payments. Akira's operations span various sectors including healthcare, government, manufacturing, and education, with a notable focus on small- to medium-sized businesses in Europe, North America, and Australia.

Akira is believed to have links to the now-defunct Conti ransomware gang, sharing similar code and tactics. The group employs double extortion methods, stealing data before encrypting systems and demanding ransoms for both decryption and non-disclosure. Their ransom demands range from $200,000 to over $4 million.

Attack Tactics and Techniques

Akira ransomware operators often gain initial access through compromised VPN credentials or by exploiting vulnerabilities in VPN software. Once inside the network, they use tools like RClone, FileZilla, and WinSCP for data exfiltration. The group is also known for disabling security defenses to avoid detection and maintaining persistence using tools like AnyDesk and custom-made Trojans.

The group's shift in tactics includes the deployment of a Linux variant targeting VMware ESXi virtual machines, expanding their attack surface significantly. Akira typically leaves no initial ransom demand on compromised networks, instead contacting victims directly to negotiate payments in Bitcoin.

Implications and Industry Impact

The attack on Marigin AG highlights the vulnerabilities within the healthcare sector, particularly for organizations heavily reliant on technology and sensitive data. The breach underscores the importance of robust cybersecurity measures, including multifactor authentication, regular software updates, and vigilant monitoring for unusual activities.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.