SafeBreach Coverage for AA24-109A (Akira Ransomware)
On April 18th, an urgent advisory was issued by the FBI, CISA, Europol’s EC3, and the Netherlands’ NCSC-NL regarding the Akira ransomware, which has been actively targeting a wide range of businesses and critical infrastructure across North America, Europe, and Australia since March 2023. Initially focusing on Windows systems, by April 2023, Akira ransomware began targeting VMware ESXi virtual machines with a new Linux variant. The ransomware has reportedly impacted over 250 organizations and extorted approximately $42 million USD. Akira ransomware attacks have evolved, with early versions written in C++ using a .akira extension for encrypted files, and later attacks in August 2023 deploying a Rust-based code variant named Megazord that uses a .powerranges extension. Attack methods include gaining initial access through vulnerabilities in VPN services or external-facing services like RDP, persistence and discovery through domain controller abuse and credential scraping, defense evasion by deploying different ransomware variants within the same event, and exfiltration and impact through data theft and double extortion tactics. The encryption method combines ChaCha20 with RSA for secure key exchange. SafeBreach has updated its platform to include new and existing attacks based on these advisories, allowing customers to validate their security controls against these TTPs. Recommendations for organizations include implementing a recovery plan, requiring multifactor authentication, keeping systems updated, and monitoring for abnormal activity. CVEs: CVE-2020-3259, CVE-2023-20269 Malware: Akira(Linux), Akira, Akira(Windows) [View Article](https://securityboulevard.com/2024/04/safebreach-coverage-for-aa24-109a-akira-ransomware/)