NEWS

The Akira ransomware group has emerged as a significant threat, extorting over $42 million from more than 250 victims globally as of January 2024.

Initially focusing on Windows systems, they later expanded to Linux variants, particularly targeting VMware ESXi virtual machines. The group gains access through known flaws in Cisco appliances and employs various methods like RDP, spear-phishing, and VPNs lacking MFA. To maintain persistence and evade detection, they create new domain accounts and utilize tools like Mimikatz for credential scraping.

Data exfiltration is carried out through tools like FileZilla and WinSCP, and encryption employs a hybrid algorithm combining Chacha20 and RSA. Akira’s blockchain and source code connections suggest ties to the Conti ransomware gang, with similarities noted in their mutation to target Linux environments. A decryptor released by Avast has been countered by the group’s adjustments.

The recent takedown of the LockBit gang has disrupted the ransomware landscape, affecting their ability to rebound. LockBit’s efforts to inflate victim counts and regain trust highlight the importance of reputation in attracting affiliates. Meanwhile, the Agenda group’s utilization of Rust variants to infect VMWare infrastructure demonstrates an expansion into new systems.

While sophisticated ransomware operations continue, there’s also a rise in “junk-gun” ransomware, offering affordable, off-the-shelf solutions for individual threat actors. These cheap alternatives lower the entry barrier, enabling attacks on small entities without sharing profits with organized groups. Sophos identifies this trend as a significant development in the evolving ransomware landscape.

Overall, the Akira group’s tactics, the fallout from the LockBit takedown, and the emergence of low-cost ransomware options illustrate the dynamic nature of cyber threats and the adaptability of cybercriminals in pursuing illicit gains.