Source URL: https://www.theregister.com/2024/10/22/akira_encrypting_again/
Source: The Register
Title: Akira ransomware is encrypting victims again following pure extortion fling
Feedly Summary: Crooks revert to old ways for greater efficiency
Experts believe the Akira ransomware operation is up to its old tricks again, encrypting victims’ files after a break from the typical double extortion tactics.…
AI Summary and Description: Yes
Summary: The article discusses the resurgence of the Akira ransomware operation, which has reverted from its recent tactics back to traditional file encryption methods. Security researchers from Cisco Talos note that this change is indicative of a tactical shift aimed at enhancing operational efficiency and stability. The article highlights Akira’s evolving methods, the significance of its programming choices, and the critical vulnerabilities it exploits to launch attacks.
Detailed Description:
– **Akira Ransomware’s Tactical Shift**:
– Researchers observed a return to file encryption tactics by the Akira ransomware group, moving away from their double extortion methods.
– This is perceived as a strategy to improve operational stability and efficiency within their affiliate program.
– **Evolution of Payloads**:
– Originally deployed a C++ encryptor for Windows and later a Rust-based version for Linux.
– Recent updates suggest a possible return to earlier C++ samples, demonstrating a deliberate consolidation of tools while retaining adaptability.
– **Programming Language Exploration**:
– The use of Rust in recent Linux encryptors indicates a willingness to innovate within coding frameworks which may lead to stronger ransomware variants.
– This adaptability is essential for maintaining robust coding techniques that evade detection.
– **Expected Targets**:
– The group is likely to continue exploiting vulnerabilities in ESXi and Linux systems to maximize disruption, affecting multiple virtual machines simultaneously.
– **Statistical Impact**:
– According to Microsoft, Akira is recorded as one of the most prolific ransomware groups, accounting for 17% of all attacks in the past year.
– The group’s growth has been partly fueled by acquiring talent from disrupted rival groups such as LockBit and ALPHV/BlackCat.
– **Vulnerability Exploitation**:
– Akira is known to target a range of vulnerabilities, including the critical SonicWall CVE-2024-40766 and older bugs, emphasizing the importance for organizations to patch known issues promptly.
– **Initial Access Techniques**:
– Common methods for gaining initial access include using compromised VPN credentials, social engineering attacks (phishing), and leveraging newly discovered CVEs to penetrate networks.
– **Threat to Organizations**:
– A significant percentage (92%) of ransomware incidents involving encryption were associated with unmanaged devices on corporate networks, posing a severe risk especially for industries such as manufacturing and technical services.
For security and compliance professionals, the analysis of the Akira ransomware operation underscores the necessity of proactive vulnerability management, awareness of evolving threat actor techniques, and the importance of managing devices connected to corporate networks to minimize risks from ransomware attacks. Implementing robust detection and response strategies alongside employee training on social engineering tactics will be vital in countering threats posed by sophisticated ransomware operations like Akira.