Ransomware Attack on Usina Alta Mogiana by Akira Group: Key Details & Impact
Incident Date:
July 10, 2024
Overview
Title
Ransomware Attack on Usina Alta Mogiana by Akira Group: Key Details & Impact
Victim
Usina Alta Mogiana SA
Attacker
Akira
Location
First Reported
July 10, 2024
Ransomware Attack on Usina Alta Mogiana S.A. by Akira Group
Overview of Usina Alta Mogiana S.A.
Usina Alta Mogiana S.A. (UAM) is a prominent Brazilian company headquartered in São Joaquim da Barra, São Paulo. Founded in 1983, UAM specializes in the production of sugar, ethanol, and electricity. The company processes over 6 million tons of sugarcane annually, producing around 10.5 million sacks of sugar, more than 180 million liters of ethanol, and generating 200,000 MWh of electricity through cogeneration. UAM is known for its commitment to sustainability, quality assurance, and social responsibility, making it a key player in Brazil's agricultural and energy sectors.
Details of the Ransomware Attack
In June 2024, UAM fell victim to a ransomware attack orchestrated by the Akira group. The cybercriminals successfully compromised the company's systems, stealing approximately 123 GB of confidential data, including sensitive employee information. The attack has raised significant concerns about the protection of personal and corporate data within the organization.
About the Akira Ransomware Group
Akira is a rapidly growing ransomware family that emerged in March 2023. The group targets small to medium-sized businesses across various sectors, including government, manufacturing, technology, and agriculture. Akira is believed to be affiliated with the now-defunct Conti ransomware gang, sharing similarities in their code. The group employs double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion. Akira's ransom demands typically range from $200,000 to over $4 million.
Penetration and Tactics
Akira's operators use unauthorized access to VPNs, credential theft, and lateral movement to deploy ransomware. They have been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration. In some cases, Akira has deployed a previously unreported backdoor. The group expanded its operations in April 2023 to target Linux-based VMware ESXi virtual machines in addition to Windows systems. As of January 2024, Akira has claimed over 250 victims and $42 million in ransomware proceeds.
Vulnerabilities and Impact
UAM's extensive digital infrastructure and reliance on interconnected systems made it a prime target for ransomware attacks. The breach highlights the vulnerabilities in protecting sensitive data and the need for robust cybersecurity measures. The attack has not only disrupted UAM's operations but also posed significant risks to employee privacy and corporate integrity.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.