Federal authorities have issued a warning to the healthcare sector regarding the Akira ransomware group, which has been linked to a series of attacks, primarily targeting small and mid-sized entities that lack multifactor authentication (MFA) on their virtual private networks (VPNs).
Furthermore, Akira employs double-extortion attacks, involving data theft and ransomware encryption, and gains initial access through various methods, including compromised credentials and VPN vulnerabilities, particularly in cases where MFA is absent. Other attack vectors used by Akira include phishing emails, malicious websites, drive-by downloads, and Trojans.
Researchers have noted similarities between Akira and the disbanded Conti ransomware group, citing code overlap and the use of ChaCha 2008 and key generation methods resembling Conti’s. Both groups also exhibit parallels in the directories they avoid encrypting and the cryptocurrency wallets they utilize. Akira has not limited its attacks to healthcare; it has also targeted sectors like finance, real estate, and manufacturing.
Additionally, the Akira group conducts double-extortion attacks, first exfiltrating an organization’s data and then threatening to publicly release it unless a ransom is paid. The malware employed by Akira removes shadow volume copies and encrypts files, appending the ‘.akira’ extension. The ransom demands from Akira have ranged from $200,000 to $4 million.
While a free decryptor for Akira ransomware was released by security firm Avast in June, it remains uncertain whether this has deterred Akira’s attacks. The number of organizations claiming to be victims on Akira’s dark web site has continued to rise. Security firm Rapid7 reported increased threat activity targeting Cisco ASA SSL VPN appliances, with several incidents culminating in ransomware deployment by the Akira and LockBit groups.
At the same time, a significant portion of incidents responded to by Rapid7’s managed services teams in the first half of 2023 stemmed from a lack of MFA on VPNs or virtual desktop infrastructure.
To mitigate the threat posed by Akira and similar groups, healthcare sector entities are advised to implement robust cybersecurity measures, including MFA, regular system updates, account lockout policies, network segmentation, and robust recovery and incident response plans.