Akira ransomware attacking VPN’s
Attackers behind the Akira ransomware are using VPN’s as one of the main ways to get into an organization. Using compromised accounts, they can easily get in and out of the network as they please.
No MFA? Watch out
By enabling MFA on VPN connections, among other things, you’re providing another layer of security to a direct connection into the company network.
Reports keep coming in
More reports keep coming in about attacks using the Akira ransomware. Research is still on-going in hopes of figuring out a way to detect and stop attacks.
News > Cyber-Attacks > Ransomware
by Kevin Wood
Akira ransomware goes after remote workers
VPN’s have become crucial after covid-19
When the pandemic caused shutdowns and other changes, many workers began to work from home, or remote offices, in order to socially distance, stay safe, and still be efficient at their job. With this large change to remote work, users needed a way to connect into the company network.
This is where the VPN comes into play as an avenue for hackers to gain access to your organization. The VPN (virtual private network) is the way many organizations can provide secure, encrypted data connections between users and corporate networks.
The Akira ransomware variant is new, in terms of ransomware, and was first detected in March 2023. As more research is done on the ransomware and how it works, analysts are finding that it’s attacking VPN’s as a main vector to get into the company network.
Multiple reports indicate attackers are using compromised Cisco VPN accounts to infiltrate an organization’s network. Doing so means the attacker doesn’t need to install backdoor’s or other solutions to maintain persistence in the network. They can come and go as they please.
Information shared by Aura, an incident responder, made reference to MFA (multi-factor authentication) being the key to securing your VPN network.
I’m just gonna go ahead and say it. If you have:
Cisco VPN
No MFA for itYou may get a surprise knock from #Akira #Ransomware soon.
So yeah, go look at your AD auth logs for 4624/4625 from a WIN-* machine in your user VPN range.
If you have a hit, may the IR Gods help you.
— Aura (@SecurityAura) August 5, 2023
After gaining access to the systems, attackers are gaining access to SQL databases, file servers and turning on, or off, certain services to ensure they’re able to continue connecting, doing what they want and not alerting anyone.
A way to decrypt data had been released but the ransomware has been updated since that was released. This means only old variants of the Akira ransomware can be decrypted with this tool. BBG is unsure whether or not anyone is currently working on a new tool to decrypt data.
As is the case with any ransomware, there are many ways to prevent intrusions. The trouble is, the attack vectors are changing every day. While no solution is perfect, it’s imperative to have a solution in place to ensure your data is not only backed up properly, but also protected.
If you’re unsure of your organization’s Disaster Recovery Plan, the solution you have in place, or are interested in exploring other options, contact us today! Click the button below to email our team and schedule a time to meet and discuss the current situation.
- Akira ransomware
- Attacking VPN’s as a way to get into systems
- Once in, they can easily get back in easily, making exfiltration of data very easy.
- With early detection of file changes, downloads, or other erroneous actions, you could stop an attack like this before it becomes something bigger.
- Contact us today (click the orange button below) and let’s show you how we can keep your data safe.