CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) published Thursday a joint CSA (cybersecurity security advisory). The notice disseminates known Akira ransomware IOCs (indicators of compromise) and tactics, techniques, and procedures (TTPs) identified through FBI investigations and trusted third-party reporting as recently as February 2024.

“Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia,” the advisory disclosed. “In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.”

It added that early versions of the Akira ransomware variant were written in C++ and encrypted files with a [dot]akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a [dot]powerranges extension. Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third-party investigations) interchangeably.

The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured, mostly using known Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269. Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP), spear phishing, and the abuse of valid credentials. 

The agencies identified that once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence. In some instances, the FBI identified Akira threat actors creating an administrative account named ‘itadm.’ 

According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting, to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). The Akira hackers also use credential scraping tools like Mimikatz and LaZagne to aid in privilege escalation. Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes and net Windows commands are used to identify domain controllers and gather information on domain trust relationships. 

Based on trusted third-party investigations, Akira hackers have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. “This marks a shift from recently reported Akira affiliate activity. Akira threat actors were first observed deploying the Windows-specific ‘Megazord’ ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, ‘Akira_v2’).”

The advisory highlighted that as Akira hackers prepare for lateral movement, they commonly disable security software to avoid detection. “Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver and terminate antivirus-related processes.”

It also revealed that the Akira threat actors use a double-extortion model and encrypt systems after exfiltrating data. “The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via a [dot]onion URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors.” 

The advisory added that to further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting.

The FBI, CISA, EC3, and NCSC-NL recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the risk of compromise by Akira ransomware. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. 

Organizations must implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location; and require all accounts with password logins to comply with NIST’s standards. They must also require multi-factor authentication for all services to the extent possible; keep all operating systems, software, and firmware up to date; ensure timely patching and prioritize patching known exploited vulnerabilities in internet-facing systems. Additionally, segment networks to prevent the spread of ransomware, as it can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. 

They must also work on identifying, detecting, and investigating abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. They can also filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems, thus preventing hackers from directly connecting to remote access services that they have established for persistence.

Organizations must also install, regularly update, and enable real-time detection for antivirus software on all hosts; review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts; audit user accounts with administrative privileges and configure access controls according to the principle of least privilege; and disable unused ports. They must also consider adding an email banner to emails received from outside of the organization and disabling hyperlinks in received emails.

The advisory urges organizations to implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provides privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

Lastly, the advisory calls upon organizations to disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. 

Furthermore, organizations must maintain offline backups of data and regularly maintain backup and restoration. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data. They must also ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. 

In February, the Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) issued on Wednesday an analyst note on the Akira ransomware, which is a relatively new ransomware gang that has demonstrated aggressive and capable targeting of the U.S. health sector in its short lifespan. It added that there is research suggesting that Akira hackers have connections to the now-defunct Conti ransomware gang, and are known to target the U.K., Canada, Australia, New Zealand, and other countries.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.