Experts believe the Akira ransomware operation is up to its old tricks again, encrypting victims' files after a break from the typical double extortion tactics.
That's according to James Nutland and Michael Szeliga, security researchers at Cisco Talos, who noted that the decision to revert to old ways is a sign the group is looking for greater stability and efficiency from its affiliate program.
Between the two periods of using double extortion tactics, Akira affiliates were mostly just stealing data and holding it to ransom – no encryption involved – à la Karakurt in 2022, or Cl0p a year later.
The pair suspect "with low to moderate confidence" that the reason for the break was to allow time for the operation's core dev team to work up a new, more effective encryptor payload.
Akira had initially launched with a C++ encryptor for Windows targets and later developed a Rust-based version for Linux systems.
However, Nutland and Szeliga noted that as recently as September, there were signs of Akira reverting to using samples written in C++ that bore resemblances to its first payload before August 2023.
The payload was updated – it's not a carbon copy of the first – but it's largely similar and appears to show a deliberate consolidation of the group's tools.
After pivoting from the first Akira payload in late 2023, the group was using two different encryptors, the Megazord variant for Windows and the Rust-based Akira v2 for Linux.
"The exploration of the Rust programming language in recent Linux encryptors signals the threat actor's willingness to experiment with different coding frameworks, potentially leading to more developed and resilient ransomware variants," the pair blogged.
"While the return to an earlier variant indicates a potential tactical shift from this code migration, it also demonstrates that the developers remain highly adaptable, willing to reemploy tried-and-tested techniques when necessary to ensure operational stability.
"Pragmatic adaptability is providing significant advantages for ransomware groups operating in a dynamic threat landscape, as it allows them to maintain a robust and reliable codebase while continually seeking new ways to evade detection and enhance functionality."
Going forward, the researchers expect Akira to continue exploiting high-impact vulnerabilities and targeting ESXi and Linux systems. Doing so allows affiliates to wreak havoc on multiple VMs and critical workloads at once, causing maximum disruption for victims.
"We anticipate Akira will continue refining its tactics, techniques, and procedures (TTPs), developing its attack chain, adapting to shifts in the threat landscape, and striving for greater effectiveness in its RaaS operations, targeting both Windows and Linux-based enterprise environments," the researchers said.
In its bumper annual cybersecurity report, Microsoft said it believed Akira was the most prolific ransomware group in the post-LockBit era, sweeping up 17 percent of all attacks for the previous 12-month period.
The group is believed to have benefited from the law enforcement disruptions of both LockBit and ALPHV/BlackCat, bringing their top talent into its own affiliate roster. That, combined with an ever-evolving catalog of TTPs, has propelled the group to the top of the cybercrook tree.
"Their success is partly due to the fact that they are constantly evolving," said Talos. "For example, after Akira already developed a new version of their ransomware encryptor earlier in the year, we just recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike."
- Volkswagen monitoring data dump threat from 8Base ransomware crew
- Microsoft says more ransomware stopped before reaching encryption
- Microsoft says tougher punishments needed for state-sponsored cybercriminals
- Would banning ransomware insurance stop the scourge?
To stay protected from Akira's attacks, the first port of call for any organization should be awareness of the vulnerabilities the group tends to exploit and patch them up with haste.
Nutland and Szeliga said recent incidents have involved exploits of the critical SonicWall vulnerability, CVE-2024-40766, although our recent talks with experts and advisories from the likes of CISA noted that bugs as old as four years are also firmly in Akira's tool belt.
"As Akira continuously refines its ransomware, affiliates are equally proactive in selecting and exploiting new vulnerabilities for initial access, adapting their tactics in tandem," the researchers said.
"They leverage newly disclosed CVEs, not only to breach networks but also to escalate privileges and move laterally within compromised environments. This allows them to establish a greater foothold to swiftly deploy encryption and exfiltrate victim data for extortion."
In addition to exploiting vulnerabilities, Akira affiliates are also known for using compromised VPN credentials for initial access.
The other most common initial access techniques used by ransomware crooks are identity compromise and social engineering – email phishing, voice phishing, SMS phishing… all the phishings, really, according to Microsoft's report.
So, for organizations looking to protect themselves from ransomware, getting on top of these methods and implementing adequate detection measures is vital to remain encryption-free.
Also, for the second year running, Microsoft said the vast majority of ransomware incidents that involved encryption (92 percent) stemmed from unmanaged devices connected to the corporate network.
It's yet another factor for defenders to consider, especially those working in industries such as manufacturing, or the professional, scientific, and technical services. Talos's data suggests these are most at risk of being targeted by Akira, based on an analysis of its previous victims. ®