Akira Ransomware Compromises 63 Organizations in Six Months

Cybersecurity experts are investigating the Akira ransomware group, which has compromised at least 63 organizations since March 2023, primarily targeting small and medium-sized businesses. Analysts at Arctic Wolf believe that several individuals behind Akira may be linked to the now-defunct Conti group.

As mentioned, Akira mainly attacks small and medium-sized businesses, with victims located worldwide. However, the hackers focus most of their efforts on targets in the United States and Canada.

Attack Methods

Akira typically infiltrates target systems running Windows and Linux through VPN services, especially when users have not enabled multi-factor authentication. To gain access to victims’ devices, attackers use compromised credentials, which are likely purchased on the dark web.

Once inside a system, Akira attempts to delete backups that could be used to restore data. The ransomware then encrypts files with specific extensions, appending the “.akira” extension to each one.

Ransom Demands and Tactics

The ransom note left by the attackers is written in English but contains numerous errors. In the message, the group claims they do not want to cause serious financial harm to the victim, and the ransom amount is determined based on the affected company’s revenue and savings. Typically, Akira demands between $200,000 and $4,000,000.

Experts note that Akira uses a “double extortion” tactic, not only encrypting victims’ data but also stealing information from compromised systems before encryption. The attackers then threaten to publish or sell this data to other criminals if the ransom is not paid.

“The group does not insist that companies pay for both data decryption and deletion of stolen information. Instead, Akira offers victims the option to choose what they want to pay for,” specialists report.

Links to Conti and Countermeasures

According to researchers, the Akira ransomware is very similar to Conti. The malware ignores the same types of files and directories and uses a similar encryption algorithm. However, since Conti’s source code was leaked in early 2022, attributing attacks has become more difficult.

Back in June, Avast researchers published similar findings about a likely connection between Akira and Conti, stating that the creators of the new ransomware were at least “inspired by the leaked Conti source code.”

It’s worth noting that earlier this month, Avast released a free tool to decrypt files affected by Akira attacks. Currently, the tool works only on Windows, and after its release, the malware operators changed their encryption procedure to prevent free file recovery.

Financial Connections and Ongoing Threats

Arctic Wolf researchers focused on blockchain analysis and discovered three suspicious transactions in which Akira users transferred over $600,000 to addresses linked to Conti. According to experts, two of the identified wallets had previously been associated with Conti leadership, with one receiving payments from several ransomware families.

“Although Conti disbanded due to internal conflict and the publication of their source code, in 2023 many Conti members continued to wreak havoc in organizations through their work with other RaaS groups, including Akira,” Arctic Wolf specialists conclude.