Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers

Threat actors behind the Akira ransomware group have extorted approximately $42 million in illicit proceeds after breaching the networks of more than 250 victims as of January 1, 2024.

"Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia," cybersecurity agencies from the Netherlands and the U.S., along with Europol's European Cybercrime Centre (EC3), said in a joint alert.

"In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines."

The double-extortion group has been observed using a C++ variant of the locker in the early stages, before shifting to a Rust-based code as of August 2023. It's worth noting that the e-crime actor is completely different from the Akira ransomware family that was active in 2017.

Initial access to target networks is facilitated by means of exploiting known flaws in Cisco appliances (e.g., CVE-2020-3259 and CVE-2023-20269).

Alternate vectors involve the use of Remote Desktop Protocol (RDP), spear-phishing, valid credentials, and virtual private network (VPN) services lacking in multi-factor authentication (MFA) protections.

Akira actors are also known to leverage various ways to set up persistence by creating a new domain account on the compromised system, as well as evade detection by abusing the Zemana AntiMalware driver to terminate antivirus-related processes via what's called a Bring Your Own Vulnerable Driver (BYOVD) attack.

To aid in privilege escalation, the adversary relies on credential scraping tools like Mimikatz and LaZagne, while Windows RDP is utilized to move laterally within the victim's network. Data exfiltration is accomplished through FileZilla, WinRAR, WinSCP, and RClone.

"Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA," Trend Micro said in an analysis of the ransomware published in October 2023.

"Additionally, the Akira ransomware binary, like most modern ransomware binaries, has a feature that allows it to inhibit system recovery by deleting shadow copies from the affected system."

Blockchain and source code data suggests that Akira ransomware group is likely affiliated with the now-defunct Conti ransomware gang. A decryptor for Akira was released by Avast last July, but it's highly likely the shortcomings have since been plugged.

Akira's mutation to target Linux enterprise environments also follows similar moves by other established ransomware families such as LockBit, Cl0p, Royal, Monti, and RTM Locker.

LockBit's Struggles to Come Back

The disclosure comes as Trend Micro revealed that the sweeping law enforcement takedown of the prolific LockBit gang earlier this February has had a significant operational and reputational impact on the group's ability to bounce back, prompting it to post old and fake victims on its new data leak site.

"LockBit was one of the most prolific and widely used RaaS strains in operation, with potentially hundreds of affiliates, including many associated with other prominent strains," Chainalysis noted in February.

The blockchain analytics firm said it uncovered cryptocurrency trails connecting a LockBit administrator to a journalist based in Sevastopol known as Colonel Cassad, who has a history of soliciting donations for Russian militia group operations in the sanctioned jurisdictions of Donetsk and Luhansk following the onset of the Russo-Ukrainian war in 2022.

It's worth pointing out that Cisco Talos, in January 2022, linked Colonel Cassad (aka Boris Rozhin) to an anti-Ukraine disinformation campaign orchestrated by the Russian state-sponsored group known as APT28.

"Following the operation, LockBitSupp [the alleged leader of LockBit] appears to be attempting to inflate the apparent victim count while also focusing on posting victims from countries whose law enforcement agencies participated in the disruption," Trend Micro said in a recent deep dive.

"This is possibly an attempt to reinforce the narrative that it would come back stronger and target those responsible for its disruption."

In an interview with Recorded Future News last month, LockBitSupp acknowledged the short-term decline in profits, but promised to improve their security measures and "work as long as my heart beats."

"Reputation and trust are key to attracting affiliates, and when these are lost, it's harder to get people to return. Operation Cronos succeeded in striking against one element of its business that was most important: its brand," Trend Micro stated.

Agenda Returns with an Updated Rust Version

The development also follows the Agenda ransomware group's (aka Qilin and Water Galura) use of an updated Rust variant to infect VMWare vCenter and ESXi servers through Remote Monitoring and Management (RMM) tools and Cobalt Strike.

"The Agenda ransomware's ability to spread to virtual machine infrastructure shows that its operators are also expanding to new targets and systems," the cybersecurity company said.

Even as a fresh crop of ransomware actors continues to energize the threat landscape, it's also becoming clearer that "crude, cheap ransomware" sold on the cybercrime underground is being put to use in real-world attacks, allowing lower-tier individual threat actors to generate significant profit without having to be a part of a well-organized group.

Interestingly, a majority of these varieties are available for a single, one-off price starting from as low as $20 for a single build, while a few others such as HardShield and RansomTuga are offered at no extra cost.

"Away from the complex infrastructure of modern ransomware, junk-gun ransomware allows criminals to get in on the action cheaply, easily, and independently," Sophos said, describing it as a "relatively new phenomenon" that further lowers the cost of entry.

"They can target small companies and individuals, who are unlikely to have the resources to defend themselves or respond effectively to incidents, without giving anyone else a cut."

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.