The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
The group now is targeting Cisco VPN products to gain initial access to corporate networks.
Sophos researchers observed in May the threat actor using compromised Cisco VPN accounts to breach target networks.
Bleeping Computer reported that information shared by the incident responder that goes as ‘Aura’ on Twitter. Aura confirmed that threat actors targeted organizations using CISCO VPN appliances without MFA enabled.
BleepingComputer also reported that SentinelOne is investigating the possibility that the Akira ransomware group is exploiting an unknown vulnerability in the Cisco VPN software. The experts speculate that this issue might allow threat actors to bypass authentication in the absence of MFA and that the group launched an ongoing campaign against Cisco VPN appliances.
SentinelOne researchers also observed Akira operators using the legitimate RustDesk open-source remote access tool to maintain access to compromised networks.
In June, cybersecurity firm Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data without paying the ransom.
The threat actors responded by patching their encryptors, making it impossible for victims use them to recover data encrypted by newer versions.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Akira ransomware)
A new round of the weekly Securitythe weekly Security Affairs newsletterAffairs newsletter arrived! Every week…
Operation ENDGAME dismantled key ransomware infrastructure, taking down 300 servers, 650 domains, and seizing €21.2M…
FBI warns Silent Ransom Group has targeted U.S. law firms for 2 years using callback…
The U.S. indicted Russian Rustam Gallyamov for leading the Qakbot botnet, which infected 700K+ devices…
Law enforcement operation codenamed 'Operation RapTor' led to the arrest of 270 dark web vendors…
A Chinese threat actor, tracked as UAT-6382, exploited a patched Trimble Cityworks flaw to deploy…
This website uses cookies.