Akira ransomware group ditches double extortion, returns to pure encryption

The notorious Akira ransomware group has reportedly reverted to traditional encryption tactics, abandoning the double extortion methods they previously used. Security researchers James Nutland and Michael Szeliga from Cisco Talos suggest that this shift marks a return to simplicity and operational stability for Akira's affiliate-driven operation.

Previously, Akira affiliates relied on double extortion, first stealing data and then encrypting it to increase leverage over their victims. However, in their latest move, the group appears to have simplified its strategy, refocusing on pure encryption attacks. The Cisco Talos researchers believe this pivot signals a drive for increased efficiency and stability within Akira’s ransomware-as-a-service (RaaS) operation.

According to Nutland and Szeliga, the double exploitation period allowed Akira’s core team to work on a more effective encryptor payload. “Beginning in early 2024, Akira appeared to be sidelining the encryption tactics, focusing on data exfiltration only. We assess with low to moderate confidence that this shift was due in part to the developers taking time to further retool their encryptor,” the pair wrote in a blog post.

Key targets and continued exploitation of vulnerabilities

The two researchers anticipate that Akira will continue targeting high-impact vulnerabilities and focusing on ESXi and Linux systems. This enables them to attack multiple virtual machines and critical workloads simultaneously, maximizing disruption for their victims.

In addition to exploiting known CVEs, Akira affiliates are skilled in initial access techniques like compromised VPN credentials, identity compromise, and social engineering tactics (such as email, voice, and SMS phishing). A recent example includes the exploitation of a critical SonicWall vulnerability, CVE-2024-40766, underscoring the importance for organizations to remain vigilant and patch vulnerabilities promptly.

The new big threat in town

According to Microsoft’s recent cybersecurity report, Akira has risen to prominence in the post-LockBit era, accounting for 17% of ransomware attacks over the past year. Law enforcement actions against rival groups, like LockBit and ALPHV/BlackCat, may have bolstered Akira’s position, bringing top talent and TTPs (tactics, techniques, and procedures) into its affiliate roster.

Nutland and Szeliga also noted the group’s constantly evolving nature is also one of the reasons it’s growing in prominence. “Their success is partly due to the fact that they are constantly evolving,” they wrote. “For example, after developing a new version of their ransomware encryptor earlier in the year, we recently observed another novel iteration of the encryptor targeting Windows and Linux hosts alike.”

Protecting Against Akira’s Tactics

Organizations looking to defend against Akira and similar ransomware threats should prioritize patching exploitable vulnerabilities, managing work-related devices, and implementing strong detection measures against phishing and identity compromise.