In June 2024, a threat group utilizing Akira ransomware was discovered targeting a Latin American airline. The attackers initially accessed the network via the Secure Shell (SSH) protocol and successfully exfiltrated critical data before deploying the Akira ransomware the following day.
Throughout the compromise, the attackers abused several legitimate tools alongside Living off-the-land Binaries and Scripts (LOLBAS). This approach enabled them to perform reconnaissance and maintain persistence within the newly compromised environment. Once the attackers had achieved their goal of exfiltrating data, they deployed ransomware to encrypt and incapacitate the victim's systems.
Akira is a Ransomware-as-a-Service (RaaS) that has become a core weapon of Storm-1567 (also known as Punk Spider and GOLD SAHARA), a prominent ransomware group first observed in 2023. Indicators such as DNS queries sent to a domain associated with Remmina—an open-source remote desktop client—suggest with high confidence that the threat actor behind this compromise is likely a Linux-based user.
First observed in the wild in March 2023, Akira is associated with the RaaS group Storm-1567. This group is responsible for developing and maintaining the Akira ransomware and its dedicated leak sites (DLS). They typically employ a double-extortion tactic: critical data is exfiltrated before the victim's systems are crippled by ransomware. This tactic increases pressure on victims to pay the ransom, as the ransomware operators threaten public exposure of the stolen confidential data if payment is not made quickly.
Notable TTPs associated with Akira ransomware include the frequent abuse of legitimate software, including open-source penetration testing tools. The group is also known for exploiting vulnerabilities in a target organization's infrastructure, such as unpatched systems and vulnerable VPN software.
The Akira threat group has attacked numerous industry verticals worldwide in recent years. As of January 2024, the group has received more than $42 million in ransom payments and targeted over 250 different organizations. While the group primarily targets Windows systems, they also have Linux variants of their tools, including a variant targeting VMware ESXi virtual machines.
The June 2024 attack on a Latin American airline highlights the ongoing threat posed by Akira ransomware and the sophisticated tactics employed by the Storm-1567 group. Organizations must remain vigilant, ensuring their systems are up-to-date and implementing robust security measures to defend against such attacks.