Government Issues Warning on Akira Ransomware: Threatens Vital Data Theft and Extortion
Government Issues Warning on Akira Ransomware: Threatens Vital Data Theft and Extortion
In a recent advisory, the Indian Computer Emergency Response Team (CERT-In), which is the Indian government’s agency responsible for handling computer security incidents, has issued a warning about a new Internet virus called “Akira.” This malicious software is designed to infiltrate computer systems, steal critical personal information from users, and encrypt their data, rendering it inaccessible. Cybercriminals then exploit this situation to extort money from victims in exchange for decrypting their data and restoring access to it.
The “Akira” virus represents a significant cybersecurity threat as it can lead to data breaches, privacy violations, and financial losses for individuals and organizations. The CERT-In advisory serves as a cautionary measure to raise awareness among users about the risks associated with this particular malware. It also highlights the importance of adopting robust cybersecurity practices, such as using updated antivirus software, regularly backing up data, and being vigilant against phishing attacks and suspicious online activities.
The CERT-In advisory provides crucial information about the “Akira” ransomware operation, which has emerged as a significant cybersecurity threat. The ransomware targets both Windows and Linux-based systems and employs a double extortion strategy to extort money from victims.
The modus operandi of the Akira group involves first stealing sensitive information from their victims. They then proceed to encrypt data on the compromised systems, rendering it inaccessible to the users. In this process, they conduct double extortion, demanding a ransom from the victims to decrypt their data. If the victim does not comply with their demands, the group resorts to releasing the stolen data on their dark web blog, putting sensitive information at risk of exposure.
The Akira group appears to exploit vulnerabilities in VPN services, especially in cases where multi-factor authentication is not enabled. This highlights the importance of implementing robust security measures, such as enabling multi-factor authentication for VPN services, to prevent unauthorized access.
Additionally, the group is known to utilize certain tools like AnyDesk, WinRAR, and PCHunter during their intrusions. These tools are often present in the victim’s environment and their misuse can go unnoticed, making it essential for users and organizations to closely monitor their systems for any suspicious activities.
The Akira ransomware employs a specific infection mechanism, as outlined by CERT-In:
1. Execution and Shadow Volume Copies Deletion: The attack begins when the Akira ransomware sample is executed on the targeted device. Upon execution, Akira deletes the Windows Shadow Volume Copies, which are backup copies of files used for system restoration.
2. File Encryption: After removing the Shadow Volume Copies, Akira proceeds to encrypt files with predetermined extensions. Each encrypted file’s name is appended with the ‘Akira’ extension.
3. Termination of Active Windows Services: During encryption, the ransomware uses the Windows Restart Manager API to terminate active Windows services, ensuring an uninterrupted encryption process.
4. Targeted Folders for Encryption: Akira encrypts files in various hard drive folders, but excludes specific ones like Program Data, Recycle Bin, Boot, System Volume Information, and Windows folders to maintain system stability.
5. Preservation of Windows System Files: To avoid system disruption, Akira refrains from modifying crucial Windows system files, such as those with extensions .sys, .msi, .dll, .ink, and .exe.
Understanding Akira’s infection mechanism is crucial for enhancing cybersecurity defenses and safeguarding systems and data from potential ransomware attacks. Regular security updates, robust backup practices, and proactive measures can mitigate the risks posed by such malware.
To safeguard computer systems and data from Akira and other ransomware attacks, CERT-In advises internet users to follow these important practices:
1. Maintain Offline Backups: Keep offline backups of critical data and ensure they are regularly updated. This prevents data loss in the event of a ransomware infection.
2. Keep Systems Updated: Regularly update all operating systems and applications. Consider virtual patching for legacy systems to protect against cybercriminals exploiting vulnerabilities in outdated software.
3. Periodic Backup and Restoration Tests: Conduct periodic backups and restoration tests to verify data integrity and ensure effective recovery.
4. Implement DMARC, DKIM, and SPF: Establish Domain-based Message Authentication, Reporting, and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) to enhance email security and prevent email spoofing.
5. Enforce Strong Password Policies and MFA: Implement strong password policies and multi-factor authentication (MFA) to enhance user account security.
6. Avoid Unofficial Updates/Patches: Only apply updates and patches from official and trusted sources.
7. External Device Usage Policy: Implement a strict policy for the usage of external devices (e.g., USB drives) to prevent unauthorized access and malware infections.
8. Data Encryption: Employ data-at-rest and data-in-transit encryption to protect sensitive information.
9. Anti-Exploitation Tools: Consider installing tools like Enhanced Mitigation Experience Toolkit (EMET) or similar host-level anti-exploitation tools to prevent exploitation of software vulnerabilities.
10. Block Suspicious File Attachments: Block attachments of file types commonly used in ransomware attacks.
11. Conduct Vulnerability Assessment and Penetration Testing (VAPT): Perform periodic VAPT and information security audits of critical networks and systems, especially database servers, by CERT-In empaneled auditors.
Following these practices can significantly enhance the security of computer systems and data, reducing the risk of falling victim to ransomware attacks and other cyber threats.
