Category: Akira Ransomware

The FBI, in collaboration with CISA, Europol European Cybercrime Centre, and the Netherlands NCSC, has issued a stark warning regarding the Akira Ransomware gang, which has amassed a staggering $42 million from approximately 230 companies as of January 24th, 2024.

The Akira criminal syndicate, unleashed into the digital realm in February 2023, has shifted its attention to VMware virtual machines, employing Linux encryptors on the underlying operating systems.

Law enforcement officials report that the Akira operatives consistently demand ransom payments ranging from $200,000 to millions of dollars, tailored to the scale of the targeted organizations. Typically, these demands are made in Bitcoin (BTC), with occasional requests for the more anonymous Monero currency.

Prominent victims of Akira’s extortion tactics include Nissan Oceania and Stanford University, with a significant portion of small and medium-sized businesses falling prey across Australia, North America, and Europe.

Sophos X-Ops highlights Akira’s modus operandi, whereby they infiltrate corporate networks by initially compromising VPNs through pilfered credentials. In instances where VPN vulnerabilities exist, they exploit weaknesses in virtual private network systems such as Cisco AnyConnect and Cisco ASA SSL VPN.

Network administrators are strongly advised to swiftly address vulnerabilities through patching and prioritize the implementation of multi-factor authentication and robust password protocols across all web services, including VPNs and webmail.

Furthermore, safeguarding Command and Control (C2) channels, where hackers not only extract or transmit data but also issue commands to compromised hosts, is paramount. Endpoint protection measures and securing Remote Desktop Protocols (RDPs) are also recommended strategies in fortifying defenses against such threat actors.

Amidst the backdrop of Bitcoin’s soaring value, exceeding the $64,000 USD threshold, the prospect of acquiring cryptocurrency for ransom payments presents significant challenges. Instead, organizations are encouraged to invest in robust backup solutions integrated with cloud infrastructure and rely on vigilant threat monitoring systems to proactively detect and mitigate ransomware threats

The post FBI says Akira Ransomware group raked $42 million appeared first on Cybersecurity Insiders.

Following the takedown of the LockBit Ransomware group’s website in ‘Operation Cronos‘ by law enforcement agencies, there has been a notable surge in the activity of the Akira Ransomware group in recent weeks. This rise has been particularly pronounced since the day of the disruptions of LockBit operation.

According to cybersecurity firm Redsense, its security researchers have observed a significant increase in Akira ransomware attacks following the disruption of LockBit. Akira, believed to be a derivative of the now-defunct Conti group, has bolstered its operational capabilities by introducing a dedicated customer support service since February of this year.

Moreover, the Akira group has expanded its expertise by recruiting Research and Development professionals formerly associated with the Ryuk Ransomware group. These new team members have introduced innovations such as data-wiping capabilities and the ability to exfiltrate data to remote servers, leveraging terminology commonly used in military and defense sectors.

Yelisey Bohuslavsky, co-founder of Redsense, shared these insights on his LinkedIn profile, highlighting Akira’s efforts to recruit penetration testers from the Conti ransomware group. Additionally, there are reports of Akira planning a large-scale malware attack campaign targeting healthcare organizations worldwide, with an initial focus on the United States.

In parallel, Mikhail Vasiliev, a Russia-Canadian hacker arrested in November 2022 for his involvement in the spread of LockBit ransomware, has been convicted. The Ontario Court has sentenced Vasiliev to four years in prison and imposed an $800,000 fine as restitution to be distributed among Canadian victims.

Justice Michelle Fuerst has labeled Vasiliev a cyber terrorist and indicated the possibility of his extradition to the United States in upcoming hearings.

The post LockBit takedown surges Akira Ransomware Attacks appeared first on Cybersecurity Insiders.

CloudNordic, a Denmark-based cloud service provider, has issued a public statement confirming the unfortunate incident of a ransomware attack that led to the complete deletion of customer data from its servers. Despite their efforts, the company found itself unable to prevent the removal of the stored information, which had initially been encrypted on August 18, 2023.

The company is diligently working on the process of restoring the lost data using backup solutions. However, the prospects of successful data recovery appear to be extremely slim, as the ransomware attack had also infiltrated the primary and secondary backup servers. Coinciding with this attack, another Danish firm named AzeroCloud fell victim to the same ransomware group. Yet, specific details regarding the extent of damage inflicted upon AzeroCloud remain undisclosed at this time.

In a separate incident, the University of Minnesota disclosed that unauthorized access to its servers took place on July 21, 2023. Disturbingly, reports indicate that the hackers behind this breach managed to acquire sensitive data associated with over 7 million social security numbers, data that had been amassed since the 1980s.

In a distinct development, a recently identified ransomware faction named Akira has embarked on a new campaign that involves the encryption of targets utilizing Cisco VPN products. Having gained notoriety for their involvement in the encryption of VMware ESXi virtual machines back in March 2023, the Akira Ransomware group has escalated their activities to now encompass Cisco VPNs. The modus operandi entails the deployment of backdoor mechanisms into various corporate networks. The full extent of the impact remains under ongoing investigation and is expected to be unveiled shortly.

Furthermore, Singing River Health System has fallen prey to a ransomware attack. Although an official confirmation is still pending, the healthcare service provider has reported suspicious external access to its computer network, potentially indicating an intrusion by a ransomware-type malware. The incident is currently being probed by the hospital’s IT personnel, who have assured the public that more comprehensive details will be disclosed in the upcoming week.

Amid these cyber threats, St. Helens Council, one of England’s oldest counties, has been thrust into the spotlight due to a suspected ransomware attack. Preliminary assessments indicate that the attack had a limited impact on certain internal systems of the council, with the website services continuing to operate normally.

In response to the evolving threat landscape, the council has taken proactive measures by establishing a dedicated sub-domain on its website. This sub-domain serves as a valuable resource to educate individuals about the dangers of falling victim to phishing attacks. For more information, interested individuals can visit www dot sthelens dot gov dot uk/watchoutforscams.

The post Headlines about ransomware making waves on Google’s trending news appeared first on Cybersecurity Insiders.