Government agencies in the U.S. and Europe shared new information on Thursday to help organizations defend themselves against the Akira ransomware gang, which has attacked small- and medium-sized businesses since 2023.
The updates to an April 2024 advisory about the group’s operations include a new list of tactics and vulnerabilities being exploited in attacks.
As of late September, Akira is believed to have claimed more than $244 million in ransomware proceeds, according to the advisory.
“Akira ransomware doesn’t just steal money – it disrupts the systems that power our hospitals, schools, and businesses,” said FBI Cyber Division Assistant Director Brett Leatherman. “Behind every compromised network, you’ll find real people and communities harmed by callous cyber criminals.”
In addition to the FBI, the Defense Department and the Health and Human Services Department contributed to the advisory. Europol and law enforcement agencies in France, Germany and the Netherlands were also involved in the updated advisory.
The group has allegedly targeted the manufacturing, education, IT and healthcare sectors.
“Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities like CVE-2024-40766,” the agencies said.
“In some instances, they gain initial access through compromised VPN credentials, potentially by using initial access brokers or brute-forcing VPN endpoints. Additionally, Akira threat actors deploy password spraying techniques, using tools such as SharpDomainSpray to gain access to account credentials.”
The group has also abused remote access tools like AnyDesk and LogMeIn to maintain their access to victim networks and blend in with administrator activity. In some cases, incident responders saw Akira uninstall endpoint detection and response (EDR) systems.
The FBI warned that in some incidents Akira threat actors were able to steal data just two hours after initial access.
The advisory links to specific advice for k-12 schools impacted by the ransomware gang.
“The threat of ransomware from groups like Akira is real and organizations need to take it seriously, with swift implementation of mitigation measures,” said Nick Andersen, Executive assistant director for the cybersecurity division at the Cybersecurity and Infrastructure Security Agency.
The advisory notes that Akira has ties to the now-defunct Conti ransomware gang, which launched several high-profile attacks before disbanding at the onset of Russia’s invasion of Ukraine.
On a call with reporters, Andersen confirmed that Akira “may have some connections to the now defunct Conti ransomware group” but declined to say if Akira had ties to the government of Russia.
The FBI’s Leatherman added that while there are no direct ties between Akira and the Russian state, they do know that the “Conti ransomware group at one point did operate within Russia and some actors may be associated with that group.”
“But like with any ransomware group or variant that operates as an affiliate based program, you can have actors located anywhere across the globe. So we do believe that we likely have actors who are in a variety of different countries,” Leatherman told Recorded Future News.
Researchers previously said there are deep similarities between the Akira and Conti ransomware strains. Blockchain analysis showed multiple Akira ransomware transactions to wallets associated with Conti’s leadership team.
Akira most recently took credit for a cyberattack on BK Technologies, a Florida-based company that makes radios for U.S. defense companies, as well as dozens of police and fire departments across the country. BK Technologies warned investors last month that it suffered a security incident in September where hackers stole non-public information and data on current and former employees.
Akira has taken credit for dozens of high-profile attacks on entities like Stanford University, the Toronto Zoo, a state-owned bank in South Africa, major foreign exchange broker London Capital Group and other organizations.
Recorded Future
Intelligence Cloud.
Learn more.
