ZATAZ Akira ransomware FBI tallies 250 million in payouts

pAn updated advisory from US and European agencies ransom demands estimated at nearly 250 million dollars focused exploitation of VPNs and remote access tools and technical and financial ties to the former Conti gang Akira has become one of the leading ransomware threats to small and midsized organisations since 2023 The refreshed joint alert details an aggressive playbook capable of stealing data within just two hours of initial access and highlights targeting across manufacturing education IT and healthcare For the FBI the threat is no longer just about money every compromised network hits hospitals schools and businesses and therefore entire communitiesppAccording to the update to the advisory first issued in April 2024 the Akira group had by late September demanded more than 244 million in ransom Using an indicative rate of 1 dollar to 092 euro that figure translates into roughly 2245 million euros The broader estimate of nearly 250 million dollars corresponds to an order of magnitude of about 230 million euros Exact numbers aside the point is clear Akira now sits in the same league as the big ransomware cartels of recent yearsppThe FBI stresses that the group does more than extort cash Brett Leatherman deputy assistant director of the Bureaus cyber division notes that Akira ransomware disrupts the systems that run our hospitals our schools and our businesses That statement drags the campaign back into the real world behind encrypted servers lie delayed treatments paralysed school districts and halted production lines Leatherman underlines that behind each compromised network are real people and communities facing ruthless cybercriminalsppThe updated alert reflects close cooperation among multiple US and European bodies Alongside the FBI the Department of Defense and the Department of Health and Human Services contributed as did Europol and law enforcement from France Germany and the Netherlands That level of joint work underlines the scale of the problem Akira does not confine itself to one country or sector it goes after weak links in public and private infrastructures across bordersppThe targeted sectors form a familiar ransomware pattern manufacturing education IT and healthcare These environments combine heavy digital dependence tight budgets and heterogeneous systems making them ideal targets The advisory flags one particularly worrying point in some cases actors using Akira were able to steal data within just two hours of initial access Such a short dwell time implies prebuilt tooling standardised procedures and solid knowledge of the environments being breachedppSeveral highprofile victims illustrate how varied the target set is Akira has claimed a cyberattack on BK Technologies a Floridabased firm that makes radios for US defence contractors and for dozens of police and fire services nationwide The company recently warned investors of a September incident in which attackers stole data and confidential information on current and former employees The group has also claimed attacks on Stanford University the Toronto Zoo a South African public bank currency broker London Capital Group and other organisationsppThis mix of critical suppliers flagship universities financial institutions and public services echoes the logic of major ransomware outfits hit where pressure to restore operations is highest and where data value makes ransom payment more likely For intelligence and security teams Akira looks very much like the next iteration of those industrial franchises with a focus on organisations that cannot afford long outagesppThe updated advisory devotes substantial space to Akiras modus operandi Agencies explain that threat actors access VPN products such as SonicWall by stealing credentials or exploiting vulnerabilities like CVE202440766 Exploit known flaws harvest credentials abuse legitimate tools the picture is one of adversaries leaning on widely deployed access points especially in small and mediumsized environmentsppIn some cases initial access comes via compromised VPN credentials potentially purchased from initial access brokers or obtained after brute force attacks against VPN endpoints Akira does not reinvent the principle but refines the mechanics where many environments remain weakly protected a simple username and password pair still opens the door Once that foothold is in place the observed speed of escalation data stolen within two hours in some incidents points to wellrehearsed playbooksppActors using Akira also rely on password spraying using tools such as SharpDomainSpray to obtain valid account credentials In practice that means that once they have an initial foothold they try common or derivative passwords against many accounts at once while attempting to stay below detection thresholds This approach complements bought or stolen credentials and quickly expands the internal compromise surface within target domainsppPersistence is maintained through abuse of popular remote administration tools including AnyDesk and LogMeIn By blending into normal IT support work Akira operators benefit from the fact that these tools are by design both legitimate and necessary From an analysts perspective that camouflage in everyday activity makes detection harder without finegrained monitoring of usage and timing a malicious session can look just like a helpdesk operationppIn some incidents response teams observed Akira uninstalling endpoint detection and response tools altogether That step shows clear awareness of the defensive stack in place and a desire to neutralise logging and automated response capabilities before largescale data theft or encryption Once EDR is removed defenders room for manoeuvre shrinks and reconstructing the attack timeline becomes far more difficultppThe advisory also points to tailored guidance for primary and secondary schools That focus on education combined with attacks on hospitals and on manufacturers of radios for first responders shows how the group leverages social and political pressure When a school district a healthcare provider or a critical radio supplier is crippled the ransom question arises in a context of urgency and public concern amplifying the groups leverageppThe updated alert stresses Akiras ties to the nowdefunct Conti ransomware gang which launched several major attacks before dissolving at the start of Russias invasion of Ukraine Researchers had already flagged strong overlaps between Akira and Conti ransomware samples Blockchain analysis has shown multiple Akira ransom transactions flowing into wallets associated with Contis leadership teamppOn a press call CISA executive assistant director Nick Andersen confirmed that Akira may have ties to the nowdefunct Conti ransomware group while declining to say whether Akira has any links to the Russian government Brett Leatherman added that even though no direct connection has been established between Akira and the Russian state authorities know Conti at one point operated from Russia and that some current actors may have been associated with that gangppOfficials are keen to underline one point however like any affiliatebased ransomware operation actors can be based almost anywhere Leatherman noted that law enforcement likely faces individuals spread across multiple countries That geographic dispersion complicates traditional legal responses but it does not erase the technical and financial inheritance Flows into Contilinked wallets suggest continuity of knowhow capital and networks between yesterdays and todays operatorsppThat heritage also shows in Akiras choice of victims Conti built its reputation on highimpact attacks against critical services and large organisations betting on pressure to drive payment Akira mirrors that pattern by striking a radio supplier to defence and first responder agencies elite universities a flagship zoo a public bank and a currency broker The variety points to a deliberate strategy hit organisations whose disruption immediately affects essential services or public perceptionppAgainst this backdrop Nick Andersen underlines that the ransomware threat posed by groups like Akira is real and that organisations must take it seriously by rapidly implementing mitigation measures By detailing the main intrusion vectors the joint alert implicitly offers a roadmap harden VPN access tighten monitoring of remote access tools watch for tampering with EDR and plan for incidents where data exfiltration occurs within hoursppFrom an intelligence standpoint Akira has become a textbook case The convergence of signals Contilike code financial flows to known wallets target sets in healthcare education and defence and aggressive VPN exploitation sketches an ecosystem that recycles the structures of organised cybercrime for a postConti landscape Authorities deliberately stop short of state attribution but the geography of operations and inherited tooling clearly informs their thinking ZATAZ News English versionpp Enregistrer mon nom mon email et mon site dans le navigateur pour mon prochain commentairepp
neuf
  
trois
  






hideifnojs
display none important




pp

ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppCe site utilise Akismet pour réduire les indésirables En savoir plus sur la façon dont les données de vos commentaires sont traitéesppppRevue de presse ZATAZ Revue de presse
Réseaux sociaux TWFBBSKTKMastoLK
DSB Data Security Breach
Page officielle Damien BancalppRemonter un problème
Mentions légales
Certaines images viennent de FreepikIA
Typo titre adriencoquetcomppProtocole ZATAZ 2025 100 000
Taux de correction 100 derniers cas 95
Alerter anonymement
Page sécurisée Bluefiles pour transmettre à ZATAZ un fichierppEspaces pirates sous surveillance 50 000
Alertes envoyées au 01122025 190 000
Fuites constatées en 2024 20 milliards
Service veille ZATAZ Service Veille ZATAZ
p