The Akira phenomenon: analysis of the ransomware that shook 2023

Since it first appeared on the scene in March 2023, Akira ransomware has demonstrated unprecedented destructive capacity. Through a series of targeted attacks, it has infected the networks of over 250 organizations in the current year alone, with ransoms reaching close to $42 million. These data emerge from a joint investigation carried out by prestigious agencies such as the FBI, CISA, the Europol European Cybercrime Center and the Dutch National Cyber Security Center.

Damages and exorbitant demands

The group behind Akira did not hesitate to strike hard, choosing large organizations in the territories of North America, Europe and Australia as targets. The amounts requested as ransom vary enormously, ranging between $200,000 and much larger sums, in proportion to the financial capabilities of the victims. Recent high-profile incidents have included the compromise of Nissan systems in Australia and New Zealand and a significant data breach at Stanford University, with thousands of personal data put at risk.

Sophisticated attack methodologies

The tactics employed by Akira are varied and refined. Access to networks occurs by exploiting weaknesses in VPN services that lack multi-factor authentication and the exploitation of vulnerabilities in Cisco products, identified as CVE-2020-3259 and CVE-2023-20269. Attacks also include the use of protocols such as Remote Desktop Protocol (RDP), spear phishing techniques, and theft of valid credentials to further infiltrate victims' digital environments.

Escalation tools and strategies

Once inside networks, Akira cybercriminals use tools like Mimikatz and LaZagne to escalate privileges. Lateral moves are frequently performed using Windows RDP, while data exfiltration uses applications such as FileZilla, WinRAR, WinSCP and RClone. These methods highlight a high degree of technical sophistication, increasing the challenge for security organizations in combating such cyber threats.