The Healthcare Cybersecurity and Communications Integration Center (HC3) has issued a warning regarding the escalating threat presented by the Akira ransomware group, which, since its emergence in March, has actively targeted and victimized over 60 entities, with a considerable impact on the healthcare sector. This recent addition to cybercrime has demonstrated remarkable aggression and proficiency in targeting the U.S. health sector during its relatively short existence.
First identified in May 2023, the Akira ransomware has rapidly expanded its reach, claiming at least 81 victims within a year. It is important to distinguish the current Akira variant from a previous version observed in 2017, as they are believed to be unrelated. Interestingly, research suggests a potential connection between Akira and the now-disbanded Conti ransomware gang, evident in similarities in their operational tactics, file targeting, encryption algorithms, ransom payment addresses, and functional traits. Although an official affiliation remains unconfirmed, the perceived connection implies a level of sophistication in Akira’s operations, warranting serious consideration as a formidable threat. Operating on a ransomware-as-a-service (RaaS) model, Akira collaborates with other cybercriminals for attacks and shares extortion fees. Employing the double extortion technique, the group steals sensitive data, executes ransomware, and charges two separate fees – one for system restoration and another to prevent the leak of pilfered data. Akira heavily relies on credential compromise for initial access, targeting both Windows and Linux infrastructure on a global scale. Although the primary focus is on the United States, the group has been observed targeting countries such as the United Kingdom, Canada, Australia, New Zealand, and others. Geographically, Akira concentrates its attacks within the United States, with a specific emphasis on states like California, Texas, Illinois, and the East Coast, particularly the Northeast. Industries most frequently targeted by Akira include materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare.
The tactics, techniques, and procedures (TTPs) employed by Akira are diverse and cover various stages of a cyber attack. From initial access through privilege escalation, persistence, lateral movement, data collection, data exfiltration, execution, and impact, the group employs a wide array of methods, as outlined in the MITRE ATT&CK framework. Recent attacks by Akira indicate an increased interest in targeting data storage, including cloud hosting infrastructure and network-attached storage devices. The group exploits vulnerabilities in Virtual Private Networks (VPN) software, such as Cisco’s Adaptive Security Appliance and Firepower Threat Defense platforms, for unauthorized access. This allows them to conduct brute force attacks, compromise credentials, perform network reconnaissance, and ultimately deploy ransomware. The financial aspect of Akira’s operations raises questions about a potential connection to the Conti ransomware gang. Analyzing cryptocurrency transactions reveals shared infrastructure between Akira and Conti, suggesting the possibility of talent overlap between the two groups. While not definitive, this assessment highlights the level of sophistication within Akira, inherited from its association with a well-established ransomware gang like Conti.
In response to the increasing threat from Akira, HC3 provides a comprehensive set of recommended defense and mitigation actions tailored for healthcare organizations. HC3 emphasizes the importance of maintaining robust identity and access management capabilities, advocating for stringent control over user identities and access privileges to thwart unauthorized entry points often exploited by Akira. The implementation of multi-factor authentication (MFA) for VPNs is strongly advocated, considering Akira’s historical proclivity for compromising VPNs lacking MFA protection. HC3 also highlights the need for healthcare entities to remain vigilant against credential compromise, recommending proactive measures such as regular credential audits, enforcing strong password policies, and immediately addressing suspicious activities related to user accounts. The adoption of the 3-2-1 rule for data backup is emphasized, encouraging healthcare organizations to create and maintain multiple copies of critical data stored on different types of media, both onsite and offsite, to strengthen resilience against ransomware attacks. HC3 recommends leveraging specific indicators of compromise provided by reputable cybersecurity organizations and staying informed of the latest threat intelligence to improve overall threat detection and response capabilities. Adopting MFA, staying vigilant against credential compromise, embracing the 3-2-1 data backup rule, and leveraging threat intelligence, healthcare organizations can collectively contribute to the resilience of the healthcare sector against emerging cyber threats.