The Evolution of Akira Ransomware: Linux Systems Targeted with New TTPs

The Sophisticated Evolution of Akira Ransomware: Analysis and Countermeasures

The Rise of Akira Ransomware

Akira ransomware has emerged as a highly sophisticated threat, evolving since its initial appearance in March. Initially targeting Windows systems, it has expanded its reach to include Linux servers, demonstrating a growing arsenal of tactics, techniques, and procedures (TTPs). A recent report by LogPoint provides an in-depth analysis of this ransomware, which encrypts victim files, deletes shadow copies, and demands ransom payment for data recovery.

Exploiting Vulnerabilities and Targeting Victims

Akira’s infection chain primarily targets Cisco ASA VPNs that lack multifactor authentication, exploiting the CVE-2023-20269 vulnerability as an entry point. As of early September, the group had successfully targeted 110 victims, focusing on organizations in the US and the UK. High-profile victims include British quality-assurance company Intertek, as well as organizations in manufacturing, professional services, and the automotive industry. Educational institutions have been disproportionately targeted, with eight out of 36 observed victims being educational organizations, according to GuidePoint Security’s GRI report.

Double-Extortion Method and Exploitation Techniques

Akira ransomware employs a double-extortion method by stealing personal data, encrypting it, and demanding a ransom. If victims refuse to pay, the group threatens to release the compromised data on the Dark Web. To carry out their attacks, Akira utilizes various malware samples, each executing specific steps such as shadow copy deletion, file search, enumeration, and encryption. The group employs tools like AnyDesk, RustDesk, WinRAR, and PC Hunter to aid in lateral movement through breached systems. They can also disable real-time monitoring to evade detection by Windows Defender and use PowerShell to delete shadow copies. Ransom notes with payment instructions and decryption assistance are dropped across the victim’s system.

Concerning Tactics and Strategies

Anish Bogati, a security research engineer at LogPoint, highlights the use of Windows internal binaries (known as LOLBAS) by Akira ransomware as their most worrisome TTP. Windows internal binaries are typically not monitored by endpoint protection, making them an effective means for adversaries to retrieve credentials, evade defense mechanisms, facilitate lateral movement, and delete backups and shadow copies. Bogati emphasizes that the ability to create a task configuration without manual intervention is a notable aspect of Akira’s strategy.

Countermeasures and Recommendations

Given the evolving nature and adaptability of Akira ransomware, organizations must implement robust countermeasures to protect against this threat. Bogati provides recommendations based on LogPoint’s analysis.

Implement Multifactor Authentication and Limit Permissions

Multifactor authentication (MFA) is crucial in preventing brute-forcing of credentials and unauthorized access. Organizations should enforce MFA on all relevant systems and limit permissions to minimize the attack surface for adversaries.

Keep Software and Systems Updated

Adversaries constantly exploit newly discovered vulnerabilities; therefore, staying vigilant with software and system updates is essential to proactively address security weaknesses and maintain a strong defense against Akira and similar threats.

Audit Privileged Accounts and Conduct Security Awareness Training

Regularly auditing privileged accounts helps organizations identify potential vulnerabilities and strengthen access controls. Additionally, providing comprehensive security awareness training to employees helps mitigate the risk of falling victim to social engineering tactics employed by ransomware actors.

Implement Network Segmentation

Network segmentation is crucial to isolate critical systems and sensitive data, reducing the risk of breaches and limiting lateral movement by attackers. By compartmentalizing networks, organizations can minimize the potential impact of a ransomware attack.

Block Unauthorized Tunneling and Remote Access Tools

Akira ransomware leverages various tunneling and remote access tools to covertly access compromised networks. Organizations should consider blocking unauthorized tools such as Cloudflare ZeroTrust, ZeroTier, and TailScale to mitigate this risk.

The Shifting Landscape of Ransomware

Akira ransomware, named after a Japanese anime cult classic, has quickly established itself as a formidable cybercriminal force, primarily targeting Windows systems. However, it has recently expanded its focus to Linux enterprise environments, joining other established ransomware groups like Cl0p, Royal, and IceFire. The ransomware landscape has witnessed the emergence of smaller groups and new tactics, while established gangs like LockBit have seen diminished victim counts. Newer ransomware groups, including 8Base, Malas, Rancoz, and BlackSuit, bring their own distinct characteristics and targeting strategies.

The Growing Threat of Akira

Akira’s extensive victim count indicates its potential to become one of the most active threat actors in the ransomware landscape. With the group continuously developing multiple malware variants with varying capabilities, they are likely to exploit unpatched systems and seize every opportunity for attack. Organizations must remain diligent in implementing robust security measures to protect against Akira and similar evolving threats.