Akira Ransomware Gang Drains $42M from more than 250 Firms: FBI Reported
The Akira ransomware group has been targeting businesses and critical infrastructure entities across North America, Europe, and Australia since March 2023, according to the United States Federal Bureau of Investigation (FBI).
The FBI found that the group breached more than 250 organizations and extracted approximately $42 million in ransomware proceeds. Recently, the FBI discovered that Akira ransomware targets not only Windows systems but also Linux variants.
FBI And Other Agencies Advisory on Akira
The FBI, along with other global cybersecurity agencies, released a joint cybersecurity advisory to alert the public about the threat.
The advisory highlighted that Akira gained initial access through virtual private networks (VPNs) that lack multifactor authentication (MFA), allowing the ransomware to extract credentials and sensitive information before locking up the system and displaying a ransom note.
According to sources, Akira threat group do not leave an initial ransom demand or payment instructions on compromised networks and did not relay this information until contacted by the victim, which seems to be their unique policy to be personally by victims.
The group demands payment in Bitcoin with the current price of BTC in $64,254 from the victim organizations to access restoration. Moreover, such penetrative malware often disables security software after initial access to avoid detection.
However, to mitigate the threat, the advisory recommends implementing a recovery plan and MFA, filtering network traffic, disabling unused ports and hyperlinks, and system-wide encryption. The FBI, CISA, NCSC, and NSA have previously issued alerts about malware targeting crypto wallets and exchanges.
Furthermore, it recommends continually testing of security program, at scale, in a production environment to ensure optimal level performance against any subtle and frontal digital attacks.
The malware extracts data, including data within the directories of the Binance and Coinbase exchange applications and the Trust Wallet application. All files in the listed directories is exfiltrated regardless of the type, as per the report.
Notably, once inside the network, Akira threat group established persistence by creating new domain accounts and employing post-exploitation techniques like credential scraping and credential scraping tools like Mimikatz and LaZagne.
The agencies conclude that it is essential to continually test security programs at scale in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
