AKIRA RANSOMWARE - SCI & TECH

News: What is the Akira ransomware, and why has the government issued a warning against it?

 

What's in the news?

       The Computer Emergency Response Team of India issued an alert for ransomware dubbed “Akira.”

 

Key takeaways:

       The ransomware, found to target both Windows and Linux devices, steals and encrypts data, forcing victims to pay double ransom for decryption and recovery.

       The group behind the ransomware has already targeted multiple victims, mainly those located in the U.S., and has an active Akira ransomware leak site with information, including their most recent data leaks.

 

Akira Ransomware:

       The Akira ransomware is designed to encrypt data, create a ransomware note and delete Windows Shadow Volume copies on affected devices.

       The ransomware gets its name due to its ability to modify filenames of all encrypted files by appending them with the “akira” extension.

 

Threats:

       The ransomware is designed to close processes or shut down Windows services that may keep it from encrypting files on the affected system.

       It uses VPN services, especially when users have not enabled two-factor authentication, to trick users into downloading malicious files.

       Once the ransomware infects a device and steals/encrypts sensitive data, the group behind the attack extorts the victims into paying a ransom, threatening to release the data on their dark web blog if their demands are not met.

 

Spreads through:

       Ransomware is typically spread through spear phishing emails that contain malicious attachments in the form of archived content (zip/rar) files.

       Other methods used to infect devices include drive-by-download, a cyber-attack that unintentionally downloads malicious code onto a device, and specially crafted web links in emails, clicking on which downloads malicious code.

       The ransomware reportedly also spreads through insecure Remote Desktop connections.

 

Who does Akira ransomware target?

       In use since March 2023, the ransomware has steadily built up a list of victims, targeting corporate networks in various domains including education, finance, real estate, manufacturing, and consulting. Once it breaches a corporate network, the ransomware spreads laterally to other devices after gaining Windows domain admin credentials.

       The threat actors also steal sensitive corporate data for leverage in their extortion attempts.

 

What can users do to protect against Akira attacks?

       Maintain up-to-date offline backups

       Ensure OS and networks are updated regularly, with virtual patching for legacy systems

       Establish Domain-based Message Authentication, Reporting, and Conformance, Domain Keys Identified Mail (DKIM), and Sender policy for organizational email validation

       Strong password policies

       Strong Multi-Factor Authentication

       Strict external device usage policy

       Data-at-rest and data-in-transit encryption

       Blocking attachment file types with .exe,.pif,.url, or other such extensions

       Avoid clicking on suspicious links to avoid downloads of malicious code

       Conduct regular security audits of systems, especially database servers.