Bitcoin ransomware Akira drains $42M from more than 250 companies: FBI

The Akira ransomware gains initial access of victim organizations through pre-installed virtual private networks (VPN) that lack multifactor authentication (MFA).
The Akira ransomware gains initial access of victim organizations through pre-installed virtual private networks (VPN) that lack multifactor authentication (MFA).

Akira, a year-old ransomware group, breached more than 250 organizations and extracted approximately $42 million in ransomware proceeds, top global cybersecurity agencies alerted.

Investigations conducted by the United States Federal Bureau of Investigation (FBI) found that Akira ransomware has been targeting businesses and critical infrastructure entities in North America, Europe and Australia since March 2023. While the ransomware initially targeted Windows systems, the FBI recently found Akira’s Linux variant as well.

The FBI, along with Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3) and the Netherlands’ National Cyber Security Centre (NCSC-NL), released a joint cybersecurity advisory (CSA) to “disseminate” the threat to masses.

According to the advisory, Akira gains initial access through pre-installed virtual private networks (VPNs) that lack multifactor authentication (MFA). The ransomware then proceeds to extract credentials and other sensitive information before locking up the system and displaying a ransom note.

“Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim.”

The ransomware group demands payments in Bitcoin (BTC) from the victim organizations to restore access. Such malware often disables security software after initial access to avoid detection.

Cybersecurity best practices against ransomware attacks. Source: cisa.gov

Some of the threat mitigation techniques recommended in the advisory are implementing a recovery plan and MFA, filtering network traffic, disabling unused ports and hyperlinks and system-wide encryption.

“The FBI, CISA, EC3, and NCSC-NL recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory,” the agencies concluded.

Related: Mystery malware targets Call of Duty cheaters, stealing their Bitcoin

The FBI, CISA, NCSC and the U.S. National Security Agency (NSA) previously issued alerts about malware that was being used to target crypto wallets and exchanges.

Directories where information were extracted by the malware. Source: National Cyber Security Centre

The report noted that some of the data extracted by the malware included data within the directories of the Binance and Coinbase exchange applications and the Trust Wallet application. According to the report, every file in the directories listed is being exfiltrated regardless of type.

Magazine: Get Bitcoin or die tryin’: Why hip hop stars love crypto