BACKGROUND
Akira is a ransomware group which was first observed in March 2023. Akira ransomware actors typically gain access to victims’ devices by using compromised credentials. Its operators use multi-extortion tactics, steal victims’ critical data and encrypts devices and files before demanding outrageous ransom payments. Victims who fail to comply with their demands will be listed on their TOR-based website along with the stolen data.
Akira commonly infiltrates targeted Windows and Linux systems through VPN services, especially where users haven't enabled multi-factor authentication.
IMPACT
Once a system is infected with Akira, the malware will attempt to delete backup folders that could be used to restore lost data. Files are encrypted and the .akira extension is added. A ransom is demanded in exchange for file decryption or data deletion.
SYSTEM AFFECTED
- Cisco Adaptive Security Appliance (ASA) software
- Cisco Firepower Threat Defense (FTD) software
PLATFORMS AFFECTED
- Microsoft Windows
- Linux
RECOMMENDATIONS
- Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants.
- Monitor network traffic and look for indicators of compromise such as unusual network traffic patterns or communication with known command-and-control servers.
- Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
- Educate employees on the risks of ransomware and train them on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
- Implement a robust backup and recovery plan to ensure that your organization has a copy of its data and can restore it in case of an attack. Store them in a secure, offsite location.
- Implement strong passwords and enable Multi-Factor Authentication (MFA) for all user accounts.
- Update and patch systems to fix known vulnerabilities and to prevent them from being exploited.