The Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert about Akira ransomware group, which has claimed more than 60 victims across multiple sectors, including healthcare, finance, real estate, and manufacturing.
According to the alert, the group began operations in March 2023, when it emerged with a 1980s-themed website and hefty ransomware demands ranging from $200,000 to $4 million. Akira ransomware is known to target Windows and Linux systems.
Akira ransomware actors have been observed leveraging compromised credentials and taking advantage of weaknesses in virtual private networks (VPNs). Other tactics include phishing emails, trojans, and drive-by download attacks.
“Like many ransomware groups, they employed the double-extortion technique against their victims by exfiltrating data prior to encryption,” the alert stated. “It is also believed that the group may contain some affiliation with Conti due to observed overlap in their code and cryptocurrency wallets.”
As previously reported, a federal grand jury in the Southern District of California returned an indictment charging one threat actor in connection with the Conti ransomware attack on Scripps Health in May 2021.
HC3’s sector alert provided detailed technical information and a copy of Akira’s ransomware note.
“While the ransom note is written in English, it contains several grammatical errors within it. The note instructs the victims to contact them via their TOR site, where each victim is given a unique login password for conducting negotiations,” the alert noted.
“The ransom note also offers organizations a full security report from Akira, which claims to release an audit of the victims network and the vulnerabilities that the group was able to exploit.”
As of August 2022, Akira had started targeting Cisco VPN products in order to gain access to corporate networks that do not have multifactor authentication (MFA) enabled.
HC3 recommended the following mitigations to safeguard against Akira ransomware:
- Implement a strong password policy
- Educate and train users
- Enable multi-factor authentication
- Update and patch systems regularly
- Implementing account lockout policies to defend against brute force attacks
- Implementing a recovery and incident response plan
- Implement network segmentation
As always, healthcare organizations can defend against ransomware by maintaining awareness of emerging cyber threat groups and proactively addressing known vulnerabilities. HealthITSecurity