Akira Ransomware Adapts Its Tactics to Exploit Major Vulnerabilities in 2024
Threat Group: Akira Ransomware
Threat Type: Ransomware
Exploited Vulnerabilities: , CVE-2024-40766 (SonicWall), CVE-2020-3259 (Cisco), CVE-2023-20263 (Cisco), CVE-2023-20269 (Cisco), CVE-2023-27532 (Veeam), CVE-2023-48788 (Ubuntu), CVE-2024-37085 (SAP), CVE-2024-40711 (Microsoft)
Malware Used: Akira, Megazord
Threat Score: 8.5/10
Last Threat Observation: October 22, 2024 (Resurfaced)
Overview
Akira ransomware has resurfaced with advanced capabilities, exploiting vulnerabilities such as CVE-2024-40711 (Veeam) and CVE-2024-40766 (SonicWall SSLVPN) to target organizations across critical sectors. Active since March 2023, Akira has shifted its tactics, adopting faster encryption methods (e.g., ChaCha8 cipher) and prioritizing attacks against VMware ESXi environments, with additional focus on Linux platforms. By employing a Rust-based encryptor, Akira further enhanced its encryption speed and effectiveness, making it a potent threat for enterprises reliant on virtualization and backup infrastructure.
Key Details
- Delivery Method: Exploits unpatched vulnerabilities in widely-used systems like Veeam and SonicWall, combined with compromised VPN credentials.
- Target Sectors: Primarily manufacturing, professional services, and critical infrastructure.
- Functions:
- Data Exfiltration: Utilizes WinSCP, FileZilla, and Rclone for transferring sensitive data.
- Backup Destruction: Deletes Veeam backups and shadow copies.
- Fast Encryption: Uses ChaCha8 cipher for rapid encryption of files.
- Leak and Ransom Negotiation: Operates via a TOR-based chat system for ransom demands and data exposure.
Attack Vectors
Akira exploits multiple high-profile vulnerabilities for initial access and lateral movement. These include:
- CVE-2024-40711: Veeam Backup & Replication RCE, allowing attackers to execute malicious code remotely.
- CVE-2024-40766: SonicWall SSLVPN vulnerabilities, especially in scenarios where MFA is not enforced.
- VMware ESXi: Akira continues to exploit vulnerabilities in ESXi environments, prioritizing unpatched systems.
Indicators of Compromise (IoCs)
MD5 Hashes | SHA1 Hashes |
---|---|
0885b3153e61caa56117770247be0444 | 02bb630faf77a91c7de6b031b54de4467ab9da6f |
0e98bfb0d8595ceb9a687906758a27ad | 09f85d9c0de66c8f807bd1e12f55617e3fed3bf8 |
2a7a76cde7e970c06316e3ae4feadbe3 | 1ff0c089c5a3b93e95c337e7644119c7bd7133c6 |
4aecef9ddc8d07b82a6902b27f051f34 | 2cde82cf7a1bc88c8fc5865cb57f31f6437f74fc |
4edc0efe1fd24f4f9ea234b83fcaeb6a | 4549f715bfeab0477c816dc7629b3d50963c4d23 |
503f112e243519a1b9e0344499561908 | 6bfedf9793a7bd83e091ab44f0ac654bbb71a037 |
64f8e1b825887afe3130af4bf4611c21 | 73ee462cb96f4857f9f5bbdc4cada5800f2b8932 |
696a86a4c569590b0522664924db7c90 | 89d195f59bba9c3b43635607f9f1c3051645332c |
6b03b31c8cbd4a0a5829b63d16936ed3 | 8ad1b4ed98794e8f0a9a9d6fc161697974099d91 |
74d5d4e9a556a6170f19893e7ffdeffa | 8c54708c13ee136463ceaa851d05ddd70acf22b4 |
8ef468f21842ee03e1c5a41a6fef6bba | 8d635ca131d8aa20971744dcb30a9e2e1f8cd1be |
913ad33912e8d074a44010b9f6380969 | 923161f345ed3566707f9f878cc311bc6a0c5268 |
9df999f142f137b0794b8afcaaedc588 | 941d001e2974c9762249b93496b96250211f6e0f |
9f801240af1124b66defcd4b4ae63f2a | a420fbd6cb9d10db807251564c1c9e1718c6fbc5 |
a18d79e94229fdf02ef091cf974ed546 | a5675c3e695ff1ef3c79c65c908d872387cd65da |
c7ae7f5becb7cf94aa107ddc1caf4b03 | a90790c35bea365befd3af55cbedfffd2cc4481b |
d25890a2e967a17ff3dad8a70bfdd832 | d640d5e632d260ac5a9e26df1bdb9b337f32cbbc |
e57340a208ac9d95a1f015a5d6d98b94 | d8914aeb1824275915b028fa2a96871fceed344c |
e5cf95b6bd04b89447e6c4ed71105a1c | efb651a5c755a9a5a96b08ddda736efd0bc03315 |
eefcd1ab5b3638c870730e459d3545ed | f8425e27fb5340b4d50bdee1800dcc428a7d388f |
SHA256 Hashes:
SHA256 Hashes |
---|
0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d |
0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c |
131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07 |
1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc |
28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e |
2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77 |
2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83 |
3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75 |
3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30 |
3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c |
43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72 |
566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739 |
5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5 |
6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84 |
678ec8734367c |
Mitigation and Prevention
- Patch Management:
- Apply the latest patches for Veeam, SonicWall, and VMware ESXi.
- Prioritize updates to close vulnerabilities like CVE-2024-40711 and CVE-2024-40766.
- Multi-Factor Authentication (MFA):
- Enforce MFA across all remote access systems, particularly for VPNs.
- Endpoint Protection:
- Deploy EDR/XDR solutions to detect malicious behavior, such as the deletion of shadow copies or unauthorized modifications to backups.
- Backup Strategy:
- Maintain immutable backups isolated from the network to mitigate the impact of ransomware.
Conclusion
Akira ransomware's return highlights its adaptability, with attackers leveraging high-profile vulnerabilities and rapidly refining encryption techniques. The group's focus on critical systems like VMware ESXi and backup solutions makes it particularly dangerous for organizations with unpatched systems. To mitigate the risk, it is critical for organizations to apply the latest security patches, enforce strong authentication protocols, and maintain comprehensive endpoint detection capabilities.