Since early 2023, Akira ransomware has victimized over 250 organizations globally, collecting over $42 million in ransom payments, as per CISA, the FBI, Europol, and NCSC-NL. Targeting a wide range of sectors, including critical infrastructure and finance, Akira initially focused on Windows systems but expanded to infect VMware ESXi virtual machines. Exploiting VPN services lacking multi-factor authentication and known vulnerabilities in Cisco products, the operators gained initial access, utilizing methods like RDP and spear-phishing. They established persistence by creating new domain accounts and disabling security software for lateral movement, employing various tools for data exfiltration and C&C communication. Threatening to publish exfiltrated data on the Tor network, the attackers demand ransom payments in Bitcoin, urging victims to contact them through Tor-based sites. The advisory provides IoCs and mitigation recommendations for network defenders.
Read more: https://www.securityweek.com/akira-ransomware-made-over-42-million-in-one-year-agencies/