Sharp Increase in Akira Ransomware Attack Following LockBit Takedown

In the wake of the LockBit ransomware group’s takedown, a shift has occurred within the cybercriminal underworld, leading to a sharp rise in activities by the Akira ransomware collective.

This group, known for its sophisticated attacks, particularly against healthcare entities in the US, has seen an influx of talent from the remnants of the notorious Conti group, specifically from its post-Ryuk faction.

The Rise of Akira Post-LockBit

Following the dismantling of LockBit, a notable vacuum was left in the ransomware landscape. Akira, a group previously operating in the shadows, has quickly stepped in to fill this gap.

According to cybersecurity firm RedSense, which has been closely monitoring these developments since the Summer of 2023, Akira has established deep ties with former members of the Conti group, especially those involved with the Ryuk ransomware.

Conti-Akira R&D Collaboration

The collaboration between Akira and the post-Conti group, particularly the developers behind Ryuk, has been pivotal.

The original creator of the Ryuk locker, known for his affinity for anime (hence the name “Akira”), has played a crucial role in supplying Akira with research and development insights.

This partnership was first identified during Royal’s research competition for a new locker, ultimately leading to the BlackSuit locker’s development.

Despite releasing a decryptor to counter Akira’s ransomware, the group saw a significant increase in compromised entities and successful encryptions during the summer of 2023.

This surge is attributed to the direct involvement of the Ryuk developer in Akira’s operations.

Yelisey Bohuslavskiy, co-founder of Redsense and advIntel, recently posted on LinkedIn about the sharp increase in threats from the Akira ransomware.

Following the takedown of LockBit, the Akira ransomware group is now attracting highly skilled post-Conti pen-testers targeting healthcare organizations in the United States.

The Emergence of “Ghost Groups”

Akira’s relationship with the post-Conti ecosystem has also led to the formation of “ghost groups,” such as Zeon, which previously aligned with Conti1 and played a significant role in deploying Ryuk.

In December, intelligence indicated that Zeon had been acting as a group of elite pen testers for Akira and LockBit, focusing primarily on the latter until its takedown.

The LockBit takedown has forced Zeon to redirect its efforts toward supporting Akira, leading to an expected increase in the sophistication and frequency of Akira’s ransomware attacks.

Recommendations & Mitigations

RedSense recommends several mitigation strategies to combat the rising threat from Akira and its associated groups.

These include prioritizing Remote Monitoring and Management (RMM) deployments, updating hypervisors and cloud backup frameworks, and implementing network segmentation and segregation to complicate these groups’ infiltration efforts.

Furthermore, awareness of specific Common Vulnerabilities and Exposures (CVEs) exploited by Zeon pentesters, such as CVE-2024-22252, CVE-2024-22253, and CVE-2024-22254 CVE-2024-22255, is crucial for defending against these sophisticated attacks.

As the cyber threat landscape continues to evolve, the rise of Akira in the post-LockBit era serves as a stark reminder of cyber criminals’ persistent and adaptive nature.

Vigilance and proactive cybersecurity measures are more important than ever to protect against these emerging threats.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.