In a world heavily reliant on digital technologies, cybersecurity threats have become increasingly prevalent. Recently, the Indian Computer Emergency Response Team (CERT-In) issued an advisory warning about an internet ransomware virus named ‘Akira.’ This malicious software poses a significant threat to both Windows and Linux-based systems, exploiting weak security measures to steal personal information and encrypt data for extortion purposes.
CERT-In’s Warning
CERT-In, India’s national nodal agency for cybersecurity, raised an alarm about the active presence of the Akira ransomware in cyberspace. The advisory aimed to alert internet users to the potential dangers posed by this malicious software and encourage proactive security measures.
Targeting Windows and Linux-based Systems
Akira is not limited to a single operating system. It poses a threat to both Windows and Linux-based systems. Cybercriminals employ various techniques to infiltrate victim environments, with one of the primary entry points being VPN services with weak security measures, such as the absence of multi-factor authentication.
Double Extortion Scheme
Akira adopts a double extortion scheme to maximize its impact and financial gains. The ransomware first infiltrates the victim’s system to steal sensitive information. Following this, it encrypts the victim’s data, rendering it inaccessible. Finally, the hackers demand a ransom from the victim to restore access to their data.
Dark Web Publication
In a bid to further coerce victims into paying the ransom, cybercriminals behind Akira threaten to publish the stolen data on the dark web if the victim refuses to comply. This poses a severe risk of reputational harm and potential damage to individuals and organizations alike.
Utilization of Stealthy Tools
Akira’s stealthy nature is evident in its use of inconspicuous tools like AnyDesk, WinRAR, and PCHunter during intrusions. These tools often go unnoticed in victim environments, allowing the ransomware to carry out its operations covertly.
Deletion of Windows Shadow Volume Copies
To make file recovery more challenging, Akira deliberately deletes Windows Shadow Volume Copies on the targeted device. These copies are backups created by the Windows operating system, which facilitate the recovery of encrypted files.
‘.akira’ File Extension
Once the ransomware encrypts files, it appends the ‘.akira’ extension to the encrypted files. This helps identify the affected files and indicates that they are inaccessible without the decryption key.
Termination of Windows Services
During the encryption phase, Akira terminates active Windows services using the Windows Restart Manager API. This prevents any interference that could potentially disrupt the encryption process.
Security Measures to Protect Against Akira Ransomware
- Offline Backups: Users must maintain offline backups of critical data regularly. In the event of a ransomware attack, having up-to-date backups can help restore the encrypted data without succumbing to the ransom demands.
- Virtual Patching for Legacy Systems: For older systems that may not receive regular software updates, virtual patching is an effective way to protect against cyber attacks exploiting vulnerabilities in outdated software. Virtual patching involves implementing security measures at the network level without modifying the system’s source code.
- Strong Password Policies: Enforcing strong password policies can significantly enhance security. Encourage the use of complex and unique passwords and educate users about the importance of not sharing passwords across multiple accounts.
- Multi-Factor Authentication: Enable multi-factor authentication (MFA) wherever possible. MFA adds an extra layer of security by requiring users to provide multiple forms of verification before gaining access to their accounts or systems.
