Saturday, October 12, 2024
HomeCyber AttackSharp Increase in Akira Ransomware Attack Following LockBit Takedown

Sharp Increase in Akira Ransomware Attack Following LockBit Takedown

Published on

Malware protection

In the wake of the LockBit ransomware group’s takedown, a shift has occurred within the cybercriminal underworld, leading to a sharp rise in activities by the Akira ransomware collective.

This group, known for its sophisticated attacks, particularly against healthcare entities in the US, has seen an influx of talent from the remnants of the notorious Conti group, specifically from its post-Ryuk faction.

The Rise of Akira Post-LockBit

Following the dismantling of LockBit, a notable vacuum was left in the ransomware landscape. Akira, a group previously operating in the shadows, has quickly stepped in to fill this gap.

- Advertisement - SIEM as a Service

According to cybersecurity firm RedSense, which has been closely monitoring these developments since the Summer of 2023, Akira has established deep ties with former members of the Conti group, especially those involved with the Ryuk ransomware.

Conti-Akira R&D Collaboration

The collaboration between Akira and the post-Conti group, particularly the developers behind Ryuk, has been pivotal.

The original creator of the Ryuk locker, known for his affinity for anime (hence the name “Akira”), has played a crucial role in supplying Akira with research and development insights.

This partnership was first identified during Royal’s research competition for a new locker, ultimately leading to the BlackSuit locker’s development.

Despite releasing a decryptor to counter Akira’s ransomware, the group saw a significant increase in compromised entities and successful encryptions during the summer of 2023.

This surge is attributed to the direct involvement of the Ryuk developer in Akira’s operations.

Yelisey Bohuslavskiy, co-founder of Redsense and advIntel, recently posted on LinkedIn about the sharp increase in threats from the Akira ransomware.

Following the takedown of LockBit, the Akira ransomware group is now attracting highly skilled post-Conti pen-testers targeting healthcare organizations in the United States.

The Emergence of “Ghost Groups”

Akira’s relationship with the post-Conti ecosystem has also led to the formation of “ghost groups,” such as Zeon, which previously aligned with Conti1 and played a significant role in deploying Ryuk.

In December, intelligence indicated that Zeon had been acting as a group of elite pen testers for Akira and LockBit, focusing primarily on the latter until its takedown.

The LockBit takedown has forced Zeon to redirect its efforts toward supporting Akira, leading to an expected increase in the sophistication and frequency of Akira’s ransomware attacks.

Recommendations & Mitigations

RedSense recommends several mitigation strategies to combat the rising threat from Akira and its associated groups.

These include prioritizing Remote Monitoring and Management (RMM) deployments, updating hypervisors and cloud backup frameworks, and implementing network segmentation and segregation to complicate these groups’ infiltration efforts.

Furthermore, awareness of specific Common Vulnerabilities and Exposures (CVEs) exploited by Zeon pentesters, such as CVE-2024-22252, CVE-2024-22253, and CVE-2024-22254 CVE-2024-22255, is crucial for defending against these sophisticated attacks.

As the cyber threat landscape continues to evolve, the rise of Akira in the post-LockBit era serves as a stark reminder of cyber criminals’ persistent and adaptive nature.

Vigilance and proactive cybersecurity measures are more important than ever to protect against these emerging threats.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...