Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
Medical
News

HC3 warns of Akira ransomware group striking with retro-themed tactics, targets Cisco VPNs

September 18, 2023
HC3 warns of Akira ransomware group striking with retro-themed tactics, targets Cisco VPNs

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a cautionary alert to the healthcare industry regarding the emergence of Akira, a Ransomware-as-a-Service (RaaS) group that commenced its activities in March. Since its discovery, the group has claimed over 60 victims, which have typically ranged in the small- to medium-size business scale. 

“Akira has garnered attention for a couple of reasons, such as their retro 1980s-themed website and the considerable demands for ransom payments ranging from $200,000 to $4 million,” the HC3 said in its sector alert last week. “Akira has been observed obtaining initial malware delivery through several methods, such as leveraging compromised credentials and exploiting weaknesses in virtual private networks (VPN), typically where multi-factor authentication (MFA) is not being used.” 

Like many ransomware groups, HC3 added that they employed the double-extortion technique against their victims by exfiltrating data prior to encryption. “It is also believed that the group may contain some affiliation with Conti due to observed overlap in their code and cryptocurrency wallets. The group has targeted multiple sectors, including finance, real estate, manufacturing, and healthcare.”

The HC3 disclosed that on August 22, 2023, reports have shown that Akira has started to target Cisco VPN products to gain access to corporate networks, reportedly on those that do not have MFA enabled. 

Researchers from SentinelOne have also observed newer tactics, techniques, and procedures (TTPs) from the ransomware gang, such as SQL database manipulation, disabling firewalls, and disabling LSA protection, the alert added. “Additionally, the group has used RustDesk, a legitimate remote access tool. Since RustDesk is a legitimate tool, it is less likely to trigger any alarms for defenders, all while allowing attackers to maintain remote access.”

The alert said that the Akira ransomware targets Windows and Linux systems. In 2017, another ransomware named Akira was observed, but these two are not considered to be associated. Interestingly, the HC3 identified that security researchers have noticed that the Akira ransomware has some similarities with the disbanded Conti ransomware group. “This was a result of some identified code overlap and the implementation of ChaCha 2008, as well as the code for key generation, both of which resemble the one used by Conti. The list directory exclusions that it avoids encrypting, including winnt and Trend Micro, are also the same in both ransomware strains,” it added.

In a pattern analysis of cryptocurrency wallets, researchers were able to identify overlap in the wallets between Akira and Conti. In two of these transactions, the wallets had previously been affiliated with Conti’s leadership team.

“Akira has obtained many of its initial compromises by leveraging compromised credentials. Additionally, many of the targeted organizations did not have multi-factor authentication (MFA) enabled on their virtual private networks (VPN),“ the HC3 alerted. 

“It is unknown how the credentials were originally obtained, but it is possible that they were purchased from the dark web. Additional distribution methods have included phishing emails, malicious websites, drive-by download attacks, and trojans. Once infected, the malware will launch PowerShell to remove shadow volume copies, and once encryption is complete, the file’s extension will be reassigned with the ‘[dot]akira’ extension.” 

Also, the attackers also attempt lateral movement and privilege escalation through LSASS credential dumps. “Before encryption, the ransomware group exfiltrates the victim’s data to employ the double-extortion tactic on their victims. If the ransom is not paid, the group threatens to release the sensitive information to the public. The group also offers victims a lower-cost option to not pay for a decryptor and to not have the especially sensitive information published,” they added. 

Additionally, the HC3 observed that while the ransom note is written in English, it contains several grammatical errors within it. “The note instructs the victims to contact them via their TOR site, where each victim is given a unique login password for conducting negotiations. The ransom note also offers organizations a full security report from Akira, which claims to release an audit of the victims network and the vulnerabilities that the group was able to exploit.”

The Akira ransomware has been delivered through several methods, and HC3 encourages healthcare organizations to implement a strong password policy, educate and train users, enable multi-factor authentication, and update and patch systems regularly. Furthermore, it is imperative to enforce account lockout policies as a safeguard against brute force attacks, establish a robust recovery and incident response strategy, and institute network segmentation measures.

Last month, the HC3 alerted the healthcare sector of the presence of Rhysida, a new RaaS group that has emerged since May this year. The group drops eponymous ransomware via phishing attacks and Cobalt Strike to breach targets’ networks and deploy their payloads while threatening to publicly distribute the exfiltrated data if the ransom is not paid. Also, the group then threatens victims in a ransom note with public distribution of the exfiltrated data, bringing them in line with modern-day double-extortion groups.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation