Akira ransomware gang made $42 million from 250 attacks since March 2023: FBI

The Akira ransomware gang has attacked more than 250 organizations over the last year and continues to impact a “wide range of businesses and critical infrastructure entities in North America, Europe, and Australia,” the FBI and European law enforcement agencies warned Thursday.

Officials from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) published an advisory on Thursday about the group, which has earned about $42 million in ransoms since emerging in March 2023. 

After initially targeting Windows systems, Akira has deployed a Linux variant targeting VMware ESXi virtual machines that are used widely across many large businesses and organizations. 

The gang has been seen using both variants of its ransomware within an attack on a single organization, marking “a shift from recently reported Akira ransomware activity.”

Akira ransomware actors have used known Cisco vulnerabilities like CVE-2020-3259 and CVE-2023-20269 to breach organizations through virtual private network (VPN) services that did not have multifactor authentication enabled. 

The hackers also use spearphishing campaigns and other tools to breach organizations. Once inside, they typically disable security software as a way to avoid detection while moving laterally. 

According to the law enforcement agencies, the ransomware gang uses several different tools to exfiltrate data including FileZilla, WinRAR, AnyDesk and more. 

“Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim,” the agencies said. 

“Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting.”

The group’s large number of attacks shortly after emerging led experts to believe it is made up of experienced ransomware actors.

The ransomware gang has claimed a steady stream of incidents in 2024, including anattack on prominent cloud hosting services provider Tietoevry. 

The group has taken credit for other attacks on Stanford University, the largest switching and terminal railroad in the U.S., the government of Nassau Bay in Texas; Bluefield University; a state-owned bank in South Africa; major foreign exchange broker London Capital Group; and Yamaha’s Canadian music division.

Researchers at cybersecurity firm Arctic Wolf analyzed cryptocurrency transactions and found that in at least three separate transactions, Akira threat actors sent the full amount of their ransom payment to addresses affiliated with the now-defunct ransomware gang Conti.

Akira ransomware users paid over $600,000 in total to Conti-affiliated addresses. Two of the Conti-affiliated wallets were associated with Conti's leadership team, with one receiving payments from multiple ransomware families, Arctic Wolf said.

A decryptor for the ransomware was released last July but the group has been able to close loopholes in its code and continue attacks.