US HC3 warns of aggressive targeting by Akira ransomware, possible connections to Conti hacker group

The Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health & Human Services (HHS) issued on Wednesday an analyst note on the Akira ransomware, which is a relatively new ransomware gang that has demonstrated aggressive and capable targeting of the U.S. health sector in its short lifespan. It added that there is research suggesting that Akira hackers have connections to the now-defunct Conti ransomware gang, and are known to target the U.K., Canada, Australia, New Zealand, and other countries.

“Akira ransomware was first identified in May of 2023, and in less than a year, it has claimed at least 81 victims. It should not be confused with another ransomware variant known as Akira, which was briefly observed in 2017 but is believed to be unrelated to the most recent and active variant, which is the subject of this paper,” the HC3 identified. “There is research suggesting that Akira has connections to the now-defunct Conti ransomware gang. The technical details of this include similarities in their exploitation approach, the selection of certain types of files and directories for targeting, their choice of application for encryption algorithms, their use of ransom payment addresses, and the incorporation of comparable functions.” 

The agency added that while any formal relationship or connection between the two groups has not been confirmed, such a connection could indicate a degree of sophistication to Akira’s operations, and reinforce the idea that they are highly capable and should be considered a serious threat.

Last September, the HC3 issued a cautionary alert to the healthcare industry regarding the emergence of Akira, a ransomware-as-a-service (RaaS) group that commenced its activities in March. Since its discovery, the group has claimed over 60 victims, which have typically ranged in the small- to medium-size business scale.

The latest analyst note mentioned that there are technical indicators that the Akira ransomware gang might have some connection to the Conti ransomware gang. “Conti discontinued operations shortly after the Russian incursion into Ukraine in February of 2022, and the subsequent leaking of the Conti code, which was ostensibly prompted by infighting within the group caused by divided alliances related to the Russia-Ukraine war.” 

In addition to similarities between operational procedures and technical aspects of the ransomware code, an additional connection exists – financial infrastructure. 

“Cryptocurrency transactions are not completely anonymous. This is due to the fact that all of them – Bitcoin and the altcoins – all operate on a blockchain, which is a distributed, public digital ledger,” the HC3 detailed. “The public nature of blockchain makes transactions open to examination by the public. While certain technologies can make this more complicated, such as the use of privacy coins, mixers, or privacy wallets, a cryptocurrency transaction could not be conducted with 100% certainty of privacy. To some extent, attribution is almost always possible, even if exceptionally challenging in some cases,” it added.

Furthermore, in an examination of Akira’s known cryptocurrency wallet addresses, pattern analysis of the transactions allows for the discovery of additional wallet addresses, and in some cases, this effort has uncovered instances of certain wallets being reused between both Akira and Conti, the HC3 disclosed. 

“This potentially indicates that one or more individuals who were active members of Conti subsequently joined Akira after the dissolution of Conti,” the alert added. “This determination cannot be made definitively, but when considered along with previous technical overlaps between the two groups, the possibility of talent utilized across both groups becomes increasingly likely. This assessment is important in understanding the level of sophistication within the Akira group.” 

The HC3 pointed out that Akira leverages many common features for their targeting and operations function as RaaS, which is to say they focus on ransomware operations, but partner with other cybercriminals for individual attacks and share the extorted fees. “They also conduct double extortion; they steal sensitive data, deploy their ransomware, and then charge two fees. The first fee restores the encrypted systems, and the second fee ensures no leaks of stolen data. They are highly reliant on credential compromise as an infection vector, which provides them initial access into their target networks.” 

Additionally, Akira also operates a leak site where they publicly post information on their victims. “Their targeting includes both Windows and Linux infrastructure, and while organizations in the United States are their focus, their targeting is global.”

Research indicates that geographically, while Akira is global in its targeting, its focus continues to be on the U.S. Their targeting within the U.S. has been focused on organizations in California, Texas, Illinois, and the East Coast, especially the Northeast. This appears to be due to the geographic locations of specific targets, rather than deliberately targeting these states. Akira’s most targeted industries include materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare. 

The HC3 pointed out that open-source reporting and analysis consistently show the health sector being one of the top industries targeted by Akira. 

The analyst note called upon healthcare organizations to review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts; regularly backup data, air gap, and password-protect backup copies offline, and review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system-defined or system-recognized scheduled tasks for unrecognized ‘actions,’ and review anti-virus logs for indications that they were unexpectedly turned off. 

It also recommends implementing network segmentation; requiring administrator credentials to install software; and implementing a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. It also suggests installing updates/patch operating systems, software, and firmware as soon as updates/patches are released; using multi-factor authentication where possible; regularly changing the passwords to network systems and accounts and avoiding reusing passwords for different accounts; and implementing the shortest acceptable timeframe for password changes.

In its conclusion, the HC3 said that the Akira ransomware gang, despite having only operated for a short period, has proved to be a significant threat to the U.S. public and private health sectors. It added that it will be important for any healthcare organization that wishes to stay secure in cyberspace to keep up with Akira’s latest tactics, techniques and procedures (TTPs). “HC3 will continue to release products as appropriate on a number of cybercriminal threats, including Akira, but it is critical for healthcare organizations to continuously monitor open-source reporting on Akira and consider any commercial threat intelligence support to augment public information as appropriate.”

Last month, the HC3 issued a sector alert addressing the possible threat of unauthorized access to HPH (healthcare and public health) organizations from remote access tools. The alert warned that the ScreenConnect tool could be adversely affected or targeted by threat actors. The impact of potential unauthorized access on both federal and private industry victims, many of whom rely on this tool, would be a concerning development for the healthcare sector.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.