Healthcare Sector Warned About Akira Ransomware Attacks
The Healthcare and Public Health (HPH) Sector has been warned about cyberattacks involving Akira ransomware, of which there have been at least 81 since the new ransomware variant was discovered in May 2023. This is the second alert to be issued by the HHS’ Health Sector Cybersecurity Coordination Center in the past 6 months, with the latest alert including updated information on the tactics, techniques, and procedures (TTPs) used by the group.
Since the group operates out of Russia, attacks on targets in the Commonwealth of Independent States (CIS) are prohibited. The majority of Akira ransomware victims are located in the United States and most of its victims have been located in California, Texas, Illinois, and states on the East Coast, especially the Northeast. The group has conducted attacks on targets in multiple sectors, with materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare favored.
Akira is a ransomware-as-a-service (RaaS) operation that is thought to have ties to the Conti ransomware group. Conti was a prolific ransomware group that wreaked havoc over a two-year period from 2020 but was suddenly shut down in 2022. The TTPs used by Akira are similar in many areas to Conti, which suggests that the groups are linked and that Akira is a highly capable and sophisticated threat group. In 2017, another ransomware variant was identified that was also called Akira but the latest attacks do not appear to be related.
Initial access is most commonly gained via compromised credentials, including credentials obtained through spear phishing, although the group is also known to exploit vulnerabilities in virtual private networks and other public-facing applications, especially those that do not have multifactor authentication enabled. Once initial access has been gained, the group establishes persistent access, uses tools to hide the malicious activity, conducts network reconnaissance to understand the operational environment, then moves laterally and establishes communications with their command-and-control center. Like many other RaaS groups, Akira engages in double extortion with sensitive data stolen before ransomware is deployed. Victims must pay two fees – one to decrypt their data and another to prevent the publication of the stolen data.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The alert includes several recommendations for improving security to prevent attacks and reducing the severity of attacks that it is not possible to prevent. Preventative measures include using multi-factor authentication wherever possible; ensuring software is kept patched and up to date, especially for VPNs and other Internet-facing applications; disabling unused remote access ports; monitoring remote access logs; reviewing domain controllers, active directories, servers, and workstations for new accounts; reviewing Task Scheduler for unrecognized scheduled tasks; setting unique complex passwords for accounts, and regularly changing passwords to network systems and accounts. Administrative credentials should be required for installing software and consider adding banners to emails that originate from external sources and disabling hyperlinks in emails. To minimize the harm caused, networks should be segmented, and backups regularly performed, with backups stored offline. Copies of critical data should not be accessible for modification or deletion from the system where the data resides.