The Akira ransomware gang has compromised at least 63 organizations since March 2023, mostly focusing on small- to medium-sized businesses (SMBs), cybersecurity firm Arctic Wolf reports.
Likely opportunistic, the group consists of at least some Conti-affiliated threat actors and engages in double extortion tactics, exfiltrating victim data prior to encryption and threatening to release the data publicly unless a ransom is paid.
“The group does not insist on a company paying for both decryption assistance and the deletion of data. Instead, Akira offers victims the opportunity to pick and choose what they would like to pay for,” Arctic Wolf notes.
The Akira ransomware group demands ransom payments ranging between $200,000 and $4 million. If the victim does not pay, their name and data are added to the group’s leak site.
At least 63 organizations have been listed on the site since March 2023, but some of them have been removed. Roughly 80% of the victims are SMBs.
Distributed via the ransomware-as-a-service (RaaS) business model, Akira is a fast-growing threat that leverages compromised credentials for intrusion. Most of the victims, Arctic Wolf says, did not have multi-factor authentication (MFA) enabled on their VPNs.
According to CloudSek, the group also uses malicious email attachments, malicious ads, and pirated software to spread the ransomware, and exploits unpatched vulnerabilities in VPN endpoints. It was also observed exploiting VMware ESXi vulnerabilities for lateral movement.
The group uses multiple readily available tools to obtain initial access to a victim’s environment and to perform system and data discovery, exfiltration, and command-and-control (C&C) activities.
The cybersecurity firm also identified code overlaps with the Conti ransomware, including similar functions and a similar implementation of the ChaCha algorithm for encryption.
Following the release of a decryptor for Akira on June 29, the ransomware operators modified the encryption routine, to prevent free file recovery.
Arctic Wolf also dived into the cryptocurrency wallet addresses used by the Akira ransomware operators, identifying additional wallets, and discovering overlaps with Conti activity, including three transactions in which over $600,000 were sent to Conti-affiliated addresses.
“Although Conti disbanded after increased pressure due to internal conflict and the publishing of their source code, many of the Conti members have continued to wreak havoc on organizations in 2023 through their activity with other Ransomware-as-a-Service groups, including Akira,” Arctic Wolf notes.