Akira Ransomware Adapts Its Tactics to Exploit Major Vulnerabilities in 2024

Akira Ransomware Adapts Its Tactics to Exploit Major Vulnerabilities in 2024

Threat Group: Akira Ransomware
Threat Type: Ransomware
Exploited Vulnerabilities: , CVE-2024-40766 (SonicWall), CVE-2020-3259 (Cisco), CVE-2023-20263 (Cisco), CVE-2023-20269 (Cisco), CVE-2023-27532 (Veeam), CVE-2023-48788 (Ubuntu), CVE-2024-37085 (SAP), CVE-2024-40711 (Microsoft)
Malware Used: Akira, Megazord
Threat Score: 8.5/10
Last Threat Observation: October 22, 2024 (Resurfaced)


Overview

Akira ransomware has resurfaced with advanced capabilities, exploiting vulnerabilities such as CVE-2024-40711 (Veeam) and CVE-2024-40766 (SonicWall SSLVPN) to target organizations across critical sectors. Active since March 2023, Akira has shifted its tactics, adopting faster encryption methods (e.g., ChaCha8 cipher) and prioritizing attacks against VMware ESXi environments, with additional focus on Linux platforms. By employing a Rust-based encryptor, Akira further enhanced its encryption speed and effectiveness, making it a potent threat for enterprises reliant on virtualization and backup infrastructure.


Key Details

  • Delivery Method: Exploits unpatched vulnerabilities in widely-used systems like Veeam and SonicWall, combined with compromised VPN credentials.
  • Target Sectors: Primarily manufacturing, professional services, and critical infrastructure.
  • Functions:
    1. Data Exfiltration: Utilizes WinSCP, FileZilla, and Rclone for transferring sensitive data.
    2. Backup Destruction: Deletes Veeam backups and shadow copies.
    3. Fast Encryption: Uses ChaCha8 cipher for rapid encryption of files.
    4. Leak and Ransom Negotiation: Operates via a TOR-based chat system for ransom demands and data exposure.

Attack Vectors

Akira exploits multiple high-profile vulnerabilities for initial access and lateral movement. These include:

  • CVE-2024-40711: Veeam Backup & Replication RCE, allowing attackers to execute malicious code remotely.
  • CVE-2024-40766: SonicWall SSLVPN vulnerabilities, especially in scenarios where MFA is not enforced.
  • VMware ESXi: Akira continues to exploit vulnerabilities in ESXi environments, prioritizing unpatched systems.

Indicators of Compromise (IoCs)

MD5 HashesSHA1 Hashes
0885b3153e61caa56117770247be044402bb630faf77a91c7de6b031b54de4467ab9da6f
0e98bfb0d8595ceb9a687906758a27ad09f85d9c0de66c8f807bd1e12f55617e3fed3bf8
2a7a76cde7e970c06316e3ae4feadbe31ff0c089c5a3b93e95c337e7644119c7bd7133c6
4aecef9ddc8d07b82a6902b27f051f342cde82cf7a1bc88c8fc5865cb57f31f6437f74fc
4edc0efe1fd24f4f9ea234b83fcaeb6a4549f715bfeab0477c816dc7629b3d50963c4d23
503f112e243519a1b9e03444995619086bfedf9793a7bd83e091ab44f0ac654bbb71a037
64f8e1b825887afe3130af4bf4611c2173ee462cb96f4857f9f5bbdc4cada5800f2b8932
696a86a4c569590b0522664924db7c9089d195f59bba9c3b43635607f9f1c3051645332c
6b03b31c8cbd4a0a5829b63d16936ed38ad1b4ed98794e8f0a9a9d6fc161697974099d91
74d5d4e9a556a6170f19893e7ffdeffa8c54708c13ee136463ceaa851d05ddd70acf22b4
8ef468f21842ee03e1c5a41a6fef6bba8d635ca131d8aa20971744dcb30a9e2e1f8cd1be
913ad33912e8d074a44010b9f6380969923161f345ed3566707f9f878cc311bc6a0c5268
9df999f142f137b0794b8afcaaedc588941d001e2974c9762249b93496b96250211f6e0f
9f801240af1124b66defcd4b4ae63f2aa420fbd6cb9d10db807251564c1c9e1718c6fbc5
a18d79e94229fdf02ef091cf974ed546a5675c3e695ff1ef3c79c65c908d872387cd65da
c7ae7f5becb7cf94aa107ddc1caf4b03a90790c35bea365befd3af55cbedfffd2cc4481b
d25890a2e967a17ff3dad8a70bfdd832d640d5e632d260ac5a9e26df1bdb9b337f32cbbc
e57340a208ac9d95a1f015a5d6d98b94d8914aeb1824275915b028fa2a96871fceed344c
e5cf95b6bd04b89447e6c4ed71105a1cefb651a5c755a9a5a96b08ddda736efd0bc03315
eefcd1ab5b3638c870730e459d3545edf8425e27fb5340b4d50bdee1800dcc428a7d388f

SHA256 Hashes:

SHA256 Hashes
0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d
0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c
131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07
1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e
2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77
2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83
3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75
3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30
3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72
566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739
5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5
6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84
678ec8734367c

Mitigation and Prevention

  1. Patch Management:
    • Apply the latest patches for Veeam, SonicWall, and VMware ESXi.
    • Prioritize updates to close vulnerabilities like CVE-2024-40711 and CVE-2024-40766.
  2. Multi-Factor Authentication (MFA):
    • Enforce MFA across all remote access systems, particularly for VPNs.
  3. Endpoint Protection:
    • Deploy EDR/XDR solutions to detect malicious behavior, such as the deletion of shadow copies or unauthorized modifications to backups.
  4. Backup Strategy:
    • Maintain immutable backups isolated from the network to mitigate the impact of ransomware.

Conclusion

Akira ransomware's return highlights its adaptability, with attackers leveraging high-profile vulnerabilities and rapidly refining encryption techniques. The group's focus on critical systems like VMware ESXi and backup solutions makes it particularly dangerous for organizations with unpatched systems. To mitigate the risk, it is critical for organizations to apply the latest security patches, enforce strong authentication protocols, and maintain comprehensive endpoint detection capabilities.

Sources:

  1. AlienVault: Akira Ransomware Evolves
  2. BleepingComputer: Akira and Fog ransomware now exploit critical Veeam RCE flaw
  3. Qualys: Threat Brief: Understanding Akira Ransomware
  4. SOCRadar: Akira Ransomware Targets SonicWall Vulnerability (CVE-2024-40766) – Immediate Patching Required