The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) have issued a joint Cybersecurity Advisory (CSA) detailing the growing threat posed by the Akira ransomware group.
Since its emergence in March 2023, Akira ransomware has targeted businesses and critical infrastructure across North America, Europe, and Australia.
In April 2023, the threat actors expanded their operations to include a Linux variant designed to target VMware ESXi virtual machines.
As of January 1, 2024, Akira has compromised over 250 organizations and extorted an estimated $42 million (USD) in ransom payments.
🛑 #StopRansomare: Review our 🆕 #cybersecurity advisory, outlining known #AkiraRansomware #TTPs & #IOCs, developed with @FBI, @EC3Europol, & @NCSC_NL to reduce the exploitation of businesses and critical infrastructure. https://t.co/2VBMKhoAXK pic.twitter.com/Nn0fEK4HRw
— CISA Cyber (@CISACyber) April 18, 2024
Akira threat actors have employed multiple variants of their malware, making detection and mitigation more complex. Early versions, written in C++, appended a .akira extension to encrypted files. In August 2023, the group introduced the Rust-based Megazord ransomware, which uses a .powerranges extension. The group continues to utilize both Megazord and Akira, including a version dubbed Akira_v2.
The FBI, CISA, EC3, and the NCSC-NL strongly urge organizations to adopt the following mitigations to protect against Akira and other ransomware threats:
- Maintain offline backups of critical data.
- Implement network segmentation.
- Regularly update and patch systems and software.
- Educate employees on identifying phishing emails and other social engineering tactics.
- Develop and implement an incident response plan.
