Akira Ransomware: Published Over 30 New Victims on their DLS
Summary:
Between November 13 and 14, 2023, researchers at Cyberint observed a significant increase in activity from the Akira ransomware group, which listed over 30 victims on its data leak site. This marks the group's highest single-day total since it began operations in March 2023. In total, 35 victims were disclosed, with 25 of them based in the United States. Canada accounted for two victims, while the remaining targets were located in Uruguay, Denmark, Germany, the United Kingdom, Sweden, the Czech Republic, and Nigeria. Notably, the business services sector was the most frequently targeted, with 10 organizations impacted. Other targeted industries include Manufacturing, Construction, Retail, Technology, Education, and Critical Infrastructure.
This is not the first time that a ransomware group has posted such a large number of victims in a single day. For instance, in May 2024, the LockBit ransomware group publicly released information on 57 new victims in a single hour. These incidents underscore a troubling trend in the evolution of ransomware operations, where these groups are increasingly resorting to mass victim disclosures as a means of amplifying pressure and maximizing the impact of their attacks.
Analyst Comments:
According to Cyberint, in the majority of the observed intrusions, the attackers gained initial access using compromised credentials. While the exact method of credential acquisition remains unclear, researchers believe the attackers may have obtained them through dark web sources or other illicit means. A key point of concern highlighted by Cyberint is that most of the targeted organizations lacked multi-factor authentication (MFA) on their VPNs, which allowed the attackers to easily brute-force their way into the systems. This highlights a critical security gap that many organizations continue to neglect, leaving them vulnerable to such attacks.
Suggested Corrections:
Organizations should implement MFA for all VPNs and critical access points, enforce strong password policies, and regularly audit and rotate credentials. Additionally, enabling advanced monitoring tools to detect suspicious activity, educating employees on phishing prevention, and conducting regular vulnerability assessments and penetration testing can further enhance security. Strengthening network segmentation and using endpoint detection and response (EDR) solutions will help contain threats and limit potential damage from breaches.
Link(s):
https://cyberint.com/blog/research/akira-ransomware-what-soc-teams-need-to-know/
Between November 13 and 14, 2023, researchers at Cyberint observed a significant increase in activity from the Akira ransomware group, which listed over 30 victims on its data leak site. This marks the group's highest single-day total since it began operations in March 2023. In total, 35 victims were disclosed, with 25 of them based in the United States. Canada accounted for two victims, while the remaining targets were located in Uruguay, Denmark, Germany, the United Kingdom, Sweden, the Czech Republic, and Nigeria. Notably, the business services sector was the most frequently targeted, with 10 organizations impacted. Other targeted industries include Manufacturing, Construction, Retail, Technology, Education, and Critical Infrastructure.
This is not the first time that a ransomware group has posted such a large number of victims in a single day. For instance, in May 2024, the LockBit ransomware group publicly released information on 57 new victims in a single hour. These incidents underscore a troubling trend in the evolution of ransomware operations, where these groups are increasingly resorting to mass victim disclosures as a means of amplifying pressure and maximizing the impact of their attacks.
Analyst Comments:
According to Cyberint, in the majority of the observed intrusions, the attackers gained initial access using compromised credentials. While the exact method of credential acquisition remains unclear, researchers believe the attackers may have obtained them through dark web sources or other illicit means. A key point of concern highlighted by Cyberint is that most of the targeted organizations lacked multi-factor authentication (MFA) on their VPNs, which allowed the attackers to easily brute-force their way into the systems. This highlights a critical security gap that many organizations continue to neglect, leaving them vulnerable to such attacks.
Suggested Corrections:
Organizations should implement MFA for all VPNs and critical access points, enforce strong password policies, and regularly audit and rotate credentials. Additionally, enabling advanced monitoring tools to detect suspicious activity, educating employees on phishing prevention, and conducting regular vulnerability assessments and penetration testing can further enhance security. Strengthening network segmentation and using endpoint detection and response (EDR) solutions will help contain threats and limit potential damage from breaches.
Link(s):
https://cyberint.com/blog/research/akira-ransomware-what-soc-teams-need-to-know/