Expertise for Ransomware Soars to Akira Upon LockBit’s Decline

Yelisey Bohuslavskiy, senior analysis officer at RedSense, wrote in a LinkedIn post that “one of the Akira ransomware groups receives an immense number of competent neo-Conti pen-testers that plans to target ‘healthcare infrastructure in the U.S”.

Ransomware groups use the word “pen testers” to indicate black hat hackers who compromise targets and use crypto-locking software as a pretext for blackmail. They claim that the deceptive payment is just an expended fee for penetration testing services.

This implies that cybercriminals who engaged with LockBit in the past are likely to attempt the same scams. This will align under Akira’s leadership, which could have consequences for potential victims, especially in the healthcare industry.

According to security professionals, the pentesters engaged tend to target known vulnerabilities in identified flaws in Cisco devices which attacks outdated VMware ESXi virtual machines, and deceive users to install remote administration and surveillance software, which is used by the attackers in an attempt to disseminate ransomware.

Run-Time Cryptocurrency Groups

The ransomware scenario was led by Ryuk and its successor Conti from 2018 through February 2022. Following that, the management of Conti publicly defends Russia’s invasion of Ukraine. Thus sparked a global backlash against granting the organization the money they had previously demanded as ransom.

Given that Akira seemed to have a “close ties with the Ryuk side of post-Conti,” RedSense suggested that Akira’s “initial pentesters launching Ryuk in the syndicate’s early days” were part of Zeon, the former Conti Team One that operated TrickBot.

Combative actions of Ransomware Groups

The interference of LockBit in January and Alphv/BlackCat in December are the two main ransomware gangs that law enforcement actively majors on during pentesting. Each group independently claims to reboot after the takedowns, but then everything appears to go dark.

They might return. Groups that propagate ransomware frequently create the latest facilities or rebrand themselves. For instance, Alphv/BlackCat, formerly known as BlackMatter, rebranded itself from DarkSide following its collision with Colonial Pipeline in May 2021. A significant number of the participants, including operators, affiliates, and contractors, together with crucial service providers like money launderers and early access brokers, are based in Russia, a country that never extradites its nationals. Experienced practitioners simply sign up with a different provider or create a new one when a ransomware group is destroyed.

However, this does not mean that security professionals and law enforcement organisations are not applauding the latest disruptions, particularly LockBit. The gang operated as a ransomware-as-a-service business, providing crypto-locking software to verified affiliates who used the infection to collect victims and then shared in the profits. This led to some of the largest ransomware attacks of recent years.

Vital Solutions

Updating and patching software thoroughly seems to be the best line of defence against Zeon hackers. “As the group has the capabilities of hitting ESXi and cloud platforms, well-updated hypervisors and cloud backup mechanisms offer a significant obstacle for them, which we are seeing by monitoring their private discussions,” Bohuslavskiy stated.

Furthermore, “system division and isolation greatly hinder Zeon/Akira invasion movements” and ensure their attacks is seen.