Cybersecurity agencies unite against Akira ransomware threat

The cyber group Akira, born in 2023, targeted over 250 organizations, extracting nearly $42 million in illegal ransomware cashflows, which are now alerted to the top global cybersecurity agencies.

Akira’s global reach and impact

Investigations conducted by the U.S Federal Bureau of Investigation (FBI) revealed as of March 2023, the candidate is targeting business and critical infrastructure entities in North America, Europe, and Australia. However, at the time, ransomware on Windows, which was mainly used, was detected only by the FBI. Later, a variant that works on the Linux system was also discovered.

In their joint effort, the FBI, in conjunction with NCSICA (Cybersecurity and Infrastructure Security Agency), EC3(European Cybercrime Centre in Europol), and NCSC-NL(Netherlands’ National Cyber Security Center), published a cybersecurity advisory to “get the word out” to the large public.

According to the note, Akira is given initial access via previously installed VPNs without multifactor authentication (MFA). The ransomware then extracts the credentials and other sensitive data, locks the systems, and displays ransom notes. The ransomware group demands payment in Bitcoin.

Continued vigilance

The community, including the local businesses that Hurricane Sandy also hit, is working towards recovery. Such malware often disables security software after initial access to avoid detection. Some of the threat mitigation techniques recommended in the advisory are implementing a recovery plan and MFA, filtering network traffic, disabling unused ports and hyperlinks, and system-wide encryption.

The FBI, CISA, EC3, and NCSC-NL recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. The FBI, CISA, NCSC, and the U.S. National Security Agency (NSA) previously issued alerts about malware targeting crypto wallets and exchanges. The report noted that some of the data extracted by the malware included data within the directories of the Binance and Coinbase exchange applications and the Trust Wallet application.