The shift in focus from Windows systems allowed hackers to powerfully increase the pace of attacks.
Over the past year, the hacker group Akira, which distributes ransomware, has attacked more than 250 organizations and damaged critical infrastructure in North America, Europe and Australia, as recently reported by representatives of CISA, the FBI and European law enforcement agencies. Since March 2023, the group has earned approximately $ 42 million from extortion.
Initially, the group attacked only Windows systems, but later began to actively use Linux versions of malware to attack VMware ESXi virtual machines that are widely distributed in large companies.
To gain access to corporate networks, Akira usually uses known vulnerabilities, such as CVE-2020-3259 and CVE-2023-20269, as well as phishing methods and other tools. After breaking into the network, attackers disable the victim's security software in order to move around the network unnoticed.
According to law enforcement agencies, hackers use various tools, including legitimate FileZilla, WinRAR and AnyDesk programs. Akira attackers usually do not leave initial ransom demands or payment instructions, starting negotiations only after direct contact with the victim.
Ransoms are always paid in bitcoins to crypto wallet addresses provided by attackers. To increase the pressure, the group also threatens to publish the stolen data in the public domain, and in some cases even calls the offices of the attacked companies and intimidates its victims by phone.
The group has carried out a large number of attacks in a short period of time since the beginning of its activities. This year, for example, Akira hackers claimed responsibility for attacks on major cloud service providers, universities, government and banking institutions. All this allows experts to assume that the group consists of experienced specialists in the field of cyber extortion.
Researchers from Arctic Wolf analyzed some cryptocurrency transactions related to Akira's activities and found out that the wallet addresses used by the attackers are connected in a certain way with the now-defunct Conti group.
Despite the release of a decryptor for files affected by the Akira ransomware program in June last year, the group was able to quickly fix encryption vulnerabilities in its software and soon continued attacks with renewed vigor.
Over the past year, the hacker group Akira, which distributes ransomware, has attacked more than 250 organizations and damaged critical infrastructure in North America, Europe and Australia, as recently reported by representatives of CISA, the FBI and European law enforcement agencies. Since March 2023, the group has earned approximately $ 42 million from extortion.
Initially, the group attacked only Windows systems, but later began to actively use Linux versions of malware to attack VMware ESXi virtual machines that are widely distributed in large companies.
To gain access to corporate networks, Akira usually uses known vulnerabilities, such as CVE-2020-3259 and CVE-2023-20269, as well as phishing methods and other tools. After breaking into the network, attackers disable the victim's security software in order to move around the network unnoticed.
According to law enforcement agencies, hackers use various tools, including legitimate FileZilla, WinRAR and AnyDesk programs. Akira attackers usually do not leave initial ransom demands or payment instructions, starting negotiations only after direct contact with the victim.
Ransoms are always paid in bitcoins to crypto wallet addresses provided by attackers. To increase the pressure, the group also threatens to publish the stolen data in the public domain, and in some cases even calls the offices of the attacked companies and intimidates its victims by phone.
The group has carried out a large number of attacks in a short period of time since the beginning of its activities. This year, for example, Akira hackers claimed responsibility for attacks on major cloud service providers, universities, government and banking institutions. All this allows experts to assume that the group consists of experienced specialists in the field of cyber extortion.
Researchers from Arctic Wolf analyzed some cryptocurrency transactions related to Akira's activities and found out that the wallet addresses used by the attackers are connected in a certain way with the now-defunct Conti group.
Despite the release of a decryptor for files affected by the Akira ransomware program in June last year, the group was able to quickly fix encryption vulnerabilities in its software and soon continued attacks with renewed vigor.
