FBI and CISA Issue Updated Alert on Akira Ransomware


April 29, 2024

World map

The FBI and CISA, along with Europol’s EC3 and the Netherlands’ NCSC-NL, released a joint alert on known Akira ransomware IOCs and TTPs.

"Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines,” the alert states.

"As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds. The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.”

Takeaway: Akira first emerged in March 2023, and the group may have links to the notorious Conti gang, although this is difficult to ascertain given the Conti code was leaked in 2022.  

Despite being a relatively new player, Akira is one of the most active groups and accounts for many ransom incidents in Q1-2024. ‍

Akira operations include data exfiltration for double extortion with the threat to expose or sell the data should the victim fail to come to terms with the attackers and is assessed to have leaked gigabytes of stolen data from victims.

Interestingly, Akira’s extortion platform includes a chat feature for victims to negotiate directly with the attackers, and it has been observed that Akira will inform victims who have paid a ransom of the infection vectors they leveraged to carry out the attack.  

This is not ransomware “standard procedure” as many ransomware operators have engaged in multiple attacks on the same victim leveraging the same vulnerabilities.  

Akira operates a RaaS written in C++ that is capable of targeting both Windows and Linux systems, typically by exploiting credentials for VPNs. There are also indications Akira released versions written in Rust, a secure programming language that can enable security tool evasion.

Akira modules will delete Windows Shadow Volume Copies leveraging PowerShell and is designed to encrypt a wide range of file types while avoiding Windows system files with .exe, .lnk, .dll, .msi, and .sys extensions.  

Akira also abuses legitimate LOLBins/COTS tools like PCHunter64, making detection more difficult.‍  

In 2023, a Linux variant for Akira was detected in the wild, and the group was also observed remotely exploiting a zero-day in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software (CVE-2023-20269) in brute-force attacks.  

Akira has also been observed exploiting VMware ESXi vulnerabilities for lateral movement. A decrypter was released that may have worked on earlier variants or obscure samples of Akira, but its utility has proven to be null for recovery.‍

‍Akira maintains a modest but growing attack volume, putting them in about the middle of the pack when compared to other ransomware operators.‍ Ransom demands appear to range between $200,000 to more than $4 million.

‍The group is heavily focused on the healthcare sector and has also attacked dozens of organizations across multiple industry verticals including education, finance, and manufacturing.‍

Notable victims include Nissan, Royal College of Physicians and Surgeons, 4LEAF, Park-Rite, Family Day Care Services, The McGregor, Protector Fire Services, QuadraNet Enterprises, Southland Integrated.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.