Security researchers have warned of another step change in the velocity of ransomware, after spotting the Akira group complete all stages of an attack within an hour.
Halcyon said in a new report that Akira usually achieves initial access by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, especially those lacking multi-factor authentication (MFA).
In the past, these have included devices from SonicWall, Veeam and Cisco, although the group has also been observed using credential theft, spearphishing, password spraying, and even initial access brokers (IABs).
It is one of the more sophisticated groups out there, with suspected former Conti hackers now engaged in operations.
Following initial access, Akira usually exfiltrates data prior to encryption – following a classic double-extortion model. Threat actors try to evade detection by disabling security software, and then use living-off-the-land approaches (eg FileZilla, WinRAR, WinSCP and RClone) for data staging and encryption, the report explained.
A Focus on Speed
Halcyon said Akira manages to complete an entire attack lifecycle in under four hours, and in some cases less than one hour without detection.
This is because it is “more stealthy and less aggressive” than other groups such as Play, the report claimed. Zero-day exploits and compromised credentials enable covert access while intermittent encryption speeds up the process of scrambling victims’ files.
“Akira is known to set encryption to as low as 1% of a file and push to all devices to maximize impact in a short duration,” Halcyon said.
“Akira's combination of rapid compromise capabilities, disciplined operational tempo, and investment in reliable decryption infrastructure sets it apart from many ransomware operators.”
This has enabled the group to generate as much as $244m since it appeared in March 2023, according to the US government.
How to Protect the Organization
Halcyon urged organizations to adopt layered defenses to mitigate the threat from Akira and other ransomware groups. This includes:
- Hardening against initial access, including “trusted relationships” and “third-party access pathways”
- Limiting lateral movement and credential abuse by restricting remote services and misuse of accounts
- Detecting data staging and exfiltration by monitoring for archive-collected data and command-and-control channels
- Protecting against encryption impact through tested recovery processes
- Deploying a dedicated anti-ransomware solution that blocks malicious binaries pre-execution, detects runtime behaviors and exfiltration efforts, prevents tampering and network intrusion, and protects backup integrity