Researchers Observe Sub-One-Hour Ransomware Attacks
Researchers Observe Sub-One-Hour Ransomware Attacks 🚨
Security researchers have warned of another step change in the velocity of ransomware, after spotting the Akira group complete all stages of an attack within an hour. Halcyon said in a new report that Akira usually achieves initial access by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, especially those lacking multi-factor authentication (MFA). In the past, these have included devices from SonicWall, Veeam, and Cisco.
The group has also been observed using credential theft, spearphishing, password spraying, and even initial access brokers (IABs). It is one of the more sophisticated groups out there, with suspected former Conti hackers now engaged in operations.
Following initial access, Akira usually exfiltrates data prior to encryption - following a classic double-extortion model. Threat actors try to evade detection by disabling security software, and then use living-off-the-land approaches (e.g., FileZilla, WinRAR, WinSCP, and RClone) for data staging and encryption, the report explained.
Halcyon said Akira manages to complete an entire attack lifecycle in under four hours, and in some cases less than one hour without detection. This is because Akira is “more stealthy and less aggressive” than other groups such as Play, the report claimed.
Zero-day exploits and compromised credentials enable covert access while intermittent encryption speeds up the process of scrambling victims’ files. Halcyon stated, “Akira is known to set encryption to as low as 1% of a file and push to all devices to maximize impact in a short duration.” The researchers also found that “Akira’s combination of rapid compromise capabilities, disciplined operational tempo, and investment in reliable decryption infrastructure sets it apart from many ransomware operators.”
This has enabled the group to generate as much as $244 million since it appeared in March 2023, according to the US government. To mitigate this threat, Halcyon urged organizations to adopt layered defenses against Akira and other ransomware groups.