Warning Issued to Internet Users About AKIRA ransomware

The Indian Computer Emergency Response Team (CERT-In) has issued a warning on the Akira ransomware, creating widespread alarm. The malicious software is intended to attack both Windows and Linux systems. The Akira ransomware operators are known to exploit VPN services, particularly when users haven’t set multi-factor authentication, according to CERT-In. The Akira threat operators take essential personal information from their victims before encrypting the data on their systems. They use double extortion tactics to force victims to pay the ransom. If victims refuse to pay the ransom, the threat operators will post the stolen material on their dark web blogs. The agency notes that Akira ransomware operators are known for exploiting VPN services, especially when users haven’t enabled multi-factor authentication. The Akira ransomware group has been discovered using applications, including AnyDesk, WinRAR, and PCHunter, in their intrusions, often undiscovered by victims.

The Advisory on the AKIRA ransomware

The virus’s technical intrusion is described in the advisory as “Akira” deleting the Windows Shadow Volume Copies on the targeted device. The ransomware then encrypts files with a specified set of extensions, and a “.akira” extension is applied to the name of each encrypted file throughout the encryption process. During the encryption process, the Akira ransomware uses the Windows Restart Manager API to terminate active Windows services. According to the advisory, the procedure prevents any interference with the encryption process. The ransomware encrypts files in hard drive folders other than ProgramData, Recycle Bin, Boot, System Volume Information, and Windows. The CERT-In also recommended Internet users practice fundamental online hygiene and protection protocols to avoid virus attacks online.

Ransomware infections typically hold data hostage, and it’s advised to preserve offline backups of vital data and ensure that the backups are kept updated to avoid data loss in the event of infection. Additionally, the advisory suggested that operating systems and applications be frequently updated and that “virtual patching be considered for protecting legacy systems and networks. According to the company, the measure prevents cybercriminals from gaining simple access to any system using vulnerabilities in outdated applications and software. Additionally, users should enforce strong password policies and multi-factor authentication (MFA) and avoid applying updates/patches obtained through any unofficial channel and other measures to counter cyber and ransomware attacks.

With ransomware groups targeting Windows and Linux users and encrypting files, it’s always essential for companies to remain vigilant of the current threat landscape and regularly maintain offline backups of their critical data assets. At SpearTip, our certified engineers work continuously at our 24/7/365 Security Operations Center, monitoring companies’ data networks for potential ransomware threats. Our remediation experts focus on restoring companies’ operations, isolating malware to reclaim their networks, and recovering business-critical assets. We examine companies’ security posture to improve the weak points of their networks and engage with their people, processes, and technology to measure the maturity of their technical environments. ShadowSpear Platform, our integrable managed detection and response tool, exposes sophisticated unknown and advanced ransomware threats with comprehensive insights through unparalleled data normalization and visualizations. Every company’s risk assessment is designed to uncover security gaps and is accompanied by a technical summary complete with an individualized risk report detailing necessary steps to remediation the gaps.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.