Federal cyber authorities shared new details Thursday about the Akira ransomware group’s techniques, the tools it uses and vulnerabilities it exploits for initial access alongside the release of a joint cybersecurity advisory.Members of the financially motivated group, which initially appeared in March 2023, are associated with other threat groups, including Storm-1567, Howling Scorpius, Punk Spider, Gold Sahara, and may have connections with the disbanded Conti ransomware group, officials said. Akira uses a double-extortion model, encrypting systems after stealing data to amplify pressure on victims.Akira ransomware has claimed more than $244 million in ransomware proceeds as of late September, the FBI and Cybersecurity and Infrastructure Security agency said in the joint advisory. The group primarily targets small- and medium-sized businesses with many victims impacted in the manufacturing, education, IT, health care, financial and agriculture sectors.“For the FBI, it is within the top five variants that we investigate,” Brett Leatherman, assistant director at the FBI Cyber Division, said during a media briefing Thursday. “It’s consequential. This group is very consequential that they fall likely within our top five.”Ransomware is the FBI’s top cybercriminal threat, which is “enormous in terms of the amount of losses, the number of active variants and its disruptive effect,” he said. “The FBI is investigating over 130 ransomware variants targeting U.S. businesses in just about any critical infrastructure sector you can think of.”The advisory, which was also supported by Europol and cyber authorities in France, Germany and the Netherlands, included six new vulnerabilities Akira is known to exploit, including defects affecting Cisco firewalls and virtual private networks, Windows, VMware ESXi, Veeam Backup and Replication and SonicWall firewalls.“We know that they are actively looking at the vulnerabilities disclosed in [the joint advisory] in order to monetize their activity,” Leatherman said. Researchers previously warned that Akira hit about 40 victims by exploiting CVE-2024-40766, a year-old vulnerability, between mid-July and early August. That burst was followed by another wave of ransomware attacks linked to active exploits of the defect.The joint advisory, which updates previous guidance around hunting for and defending against Akira, was not in response to any specific attack, said Nick Andersen, executive assistant director for cybersecurity at CISA. “It’s more a reflection of the reality that our nation’s ransomware adversaries are continuously evolving their tactics and therefore it’s critical that we improve our defenses as well,” he said. Akira operates with quickness, exfiltrating data in just over two hours from initial access in some incidents, according to the advisory. The FBI and researchers have observed Akira break into systems using stolen credentials, vulnerabilities, brute-force and password-spraying attacks. Authorities said Akira has abused remote access tools such as AnyDesk and LogMeIn to maintain persistence, created new accounts to establish footholds, and leveraged tools to escalate privileges. Some of the indicators of compromise were observed as recently as this month, Leatherman said. “Actors are incredibly adaptable and are emphasizing operational security in their actions. Their attacks are increasingly becoming more sophisticated, complex and layered,” he added. “They can be extremely costly for victims, often with remediation costs far outpacing those of the original demand.”The post FBI calls Akira ‘top five’ ransomware variant out of 130 targeting US businesses appeared first on CyberScoop.