The FBI, Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre and the Netherlands’ National Cyber Security Centre recently issued a joint statement to share critical intelligence on the Akira ransomware. The alert included Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) identified through FBI investigations and trusted third-party reporting up to February 2024.

According to the statement, since March 2023, Akira ransomware has been busy impacting numerous businesses and essential infrastructure sectors across North America, Europe, and Australia. Within just a month, Akira threat actors had expanded operations to target VMware ESXi virtual machines with a Linux variant, having initially focused on Windows systems. As of January 1, 2024, the Akira ransomware group had affected over 250 organizations, resulting in approximately $42 million (USD) in ransom payments.

Starting in August 2023, certain Akira attacks transitioned from the C++ language to Megazord using a Rust-based variant that encrypts files with a .powerranges extension, rather than the previous .akira extension. Initial access was via VPNs without multifactor authentication enabled, mostly exploiting Cisco vulnerabilities. However, other access was gained using spear-phishing tactics, Remote Desktop Protocol (RDP), or by using legitimate credentials that may have been accessed using credential scraping tools.

Using some form of MFA is advised whenever it’s available. This prevents attackers from gaining access to accounts without some type of secondary code or key. In addition, looking out for the signs of phishing in all its forms is crucial to prevent credential theft. This includes not opening attachments or clicking link it email messages that are not expected or are suspicious in any way. Never give out login credentials, even to IT personnel.

The FBI, CISA, EC3, and NCSC-NL strongly recommend that organizations adhere to the recommended mitigation measures. Some are listed below. These measures are crucial in safeguarding against the evolving tactics employed by the Akira ransomware threat actors.

• Implement a recovery plan
• Require all passwords to adhere to NIST standards
• Require MFA
• Keep all systems up-to-date
• Maintain offline backup of important data
• Create segmented networks
• Implement network monitoring tools
• Implement AV software and keep it updated

More information and mitigation techniques can be found on CISA’s website.