The Cyber Security Center has warned about the Akira ransomware, which was used in attacks reported to authorities 12 times in Finland last year. Cases are specifically linked Cisco Poorly secured vpn implementations or their unpatched vulnerabilities.
Also writes about malware Bleeping computer.
Akira ransomware was first detected in Finland in June 2023, according to the Cyber Security Center Report. Malware was hit particularly hard at the end of the year: in December, for example, the Cyber Security Center was notified of seven online extortion cases, six of which involved Akira malware. Three of these took place during the Christmas holidays.
Akira Ransomware operates as a service model (raas). In this model, cybercriminals sell the finished malware and the infrastructure needed to deploy it to other criminals. Buying ready-made malware means the attacker needs to know how to find the victim and gain access to its networks.
According to the Cyber Security Center, criminals using Akira and Ross-style ransomware are often motivated by financial reasons and choose an easy victim. If the attack is successful, the hackers will try to assess the victim's ability to pay based on the size of the ransom demands, and may negotiate with the victim.
Credentials that don't use multi-step authentication are at risk – updates are also critical
By the end of 2023, extortion attacks were carried out through weakly secured vpn access points, especially on Cisco ASA or FDT devices. In the fall, a CVE-2023-20269 vulnerability was discovered in the devices' software, which could allow hackers to search for VPN credentials that work with fatigue attacks. Credentials that don't use multi-step authentication are at risk, according to the Cyber Security Center.
“Using network device updates and multi-factor authentication is critical because these attacks by the Akira team could have been prevented by those measures,” the security expert said. Olli Hönö According to a statement released by the Cyber Security Center.
Akira steals user IDs and passwords from Windows servers and encrypts the most important files. Virtualization servers such as VMware products encrypt the disks of virtual machines. The Center for Cyber Security recommends changing all passwords used online if traces of an attack are detected.
Additionally, attackers aim to corrupt and wipe NAS servers and automated tape backup devices. According to the Cyber Security Center, the most reliable method of protection from Akira is to create offline backups.
“For very important backups, it is better to follow the 3–2–1 rule. In other words, keep at least three backup copies in two different places and keep one of these copies completely away from the network,” reminds Hönö in the announcement.