Sunday, May 25, 2025
HomeCVE/vulnerabilityAkira Ransomware Attacking Airline Industry With Legitimate Tools

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Published on

SIEM as a Service

Follow Us on Google News

Airlines often become the target of hackers as they contain sensitive personal and financial details of passengers as well as travel schedules and loyalty programs.

Since airlines are attractive to threat actors, disrupting their operations can be quite damaging to their economic and reputational statuses.

Cybersecurity researchers at BlackBerry discovered that in Latin America, an Akira ransomware attack targeted an airline in June 2024 by using SSH to gain initial access reconnaissance and persistence through legitimate tools and LOLBAS.

- Advertisement - Google News

Akira Ransomware Attacking Airline

Before employing the ransomware, the Linux-based attacker had exfiltrated critical data.

AKIRA is also known as Storm-1567 RaaS group (aka Punk Spider and GOLD SAHARA), which embraces the double-extortion method and often abuses legitimate software.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

This group began its activities in March 2023 and has already received over $42 million in ransoms from more than 250 organizations worldwide, operating across different sectors of the economy.

Akira not only focuses on Windows systems but also has Linux variants, such as one for VMware ESXi virtual machines, which shows how versatile it can be for any IT environment.

Attack chain (Source – BlackBerry)

The attack on Latin American airlines by Akira ransomware was executed by exploiting an unpatched Veeam backup server via CVE-2023-27532.

Previously, the operators of Akira gained access by utilizing CVE-2020-3259 and CVE-2023-20269.

SSH was used to gain entry into the system by attackers who created an admin user and employed legitimate tools such as Advanced IP Scanner for their recon. In 133 minutes, they were able to exfiltrate some data through WinSCP.

Antivirus protection was turned off the following day, and the network was infected with Akira ransomware (w.exe). Shadow copies were deleted to restrict recovery.

This attack used different sound programs and LOLBAS methodologies like smbexec from Impacket, NetScan, and AnyDesk for persistence.

This incident involved sophisticated tactics aimed at making maximum impacts both in terms of consequential damages and ransom amounts that could be paid to secure the release of affected files, BlackBerry researchers said.

This Latin American airline was hit by Akira ransomware using the endpoint logs, which showed that Remmina was used, and this suggests that the attackers were likely Linux-based.

Data exfiltration occurred via IP 77.247.126.158. Within UTC working hours for two days, the attack indicates actors may be from a timezone close to or in UTC, possibly Western Europe.

Akira is a Ransomware-as-a-Service operation that normally targets small and medium-sized businesses but has also attacked some large companies in North America and Europe.

The occurrence underlines the critical nature of immediate patching and software updates within corporate networks in order to block such sophisticated cyber threats and highlight the expansion of this group into Latin America, among other things.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats,...

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself...

TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks

The Russia-aligned threat actor TAG-110, also linked to UAC-0063 and APT28 (BlueDelta) with medium...