Akira Ransomware Group Is on the Rise: Hackers Target the Airline Industry in LATAM

Cybersecurity researchers have recently observed a new cyber attack on a Latin American airline leveraging Akira ransomware. The attackers took advantage of SSH protocol for initial access and maintained reconnaissance and persistence by utilizing legitimate tools and Living off-the-Land Binaries and Scripts (LOLBAS). Notably, before deploying ransomware, hackers managed to successfully exfiltrate critical data. 

Detecting Akira Ransomware Attacks

The cybersecurity community is facing a major challenge caused by the escalating threat of high-profile ransomware groups. According to the 2024 Q1 Ransomware Report by Corvus Insurance, the global ransomware attacks set an unprecedented record, surpassing 2022 by almost 70%. 

Akira ransomware group has been among most active collectives for the last year, sharing the top spot with LockBit, BlackCat, Clop, and other infamous actors. The latest news reports highlight that Akira stands behind the attack against the major LATAM airline, as well as disruption at Split airport in Croatia, and campaigns against several major businesses within the US.

To help cyber defenders stay on top of the intrusions linked to the Akira ransomware, SOC Prime Platform for collective cyber defense offers a set of curated content addressing TTPs applied during the LATAM airline attack. Just hit the Explore Detections button below to immediately drill down to a dedicated content list. 

Explore Detections

All the rules are compatible with 30+ SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK® framework. Additionally, detections are enriched with extensive metadata, including CTI references, attack timelines, and triage recommendations, to smooth out threat investigation.

Cyber defenders looking for more detection content addressing Akira’s attack patterns might search the Threat Detection Marketplace using a custom “Akira” tag or simply follow this link to access a broad collection of relevant Sigma rules linked to the group’s malicious activity. 

Akira Ransomware Campaign Description

According to the inquiry by the BlackBerry Research and Intelligence Team, Akira ransomware maintainers leveraged a sophisticated approach to gain access to the LATAM airline infrastructure, exfiltrate sensitive data, and drop Akira payload on the infected network.

Adversaries gained initial network access using SSH protocol and successfully exfiltrated critical data before deploying the Akira ransomware sample the next day. During the infection chain, attackers exploited several legitimate tools, including LOLBAS, which gave them the green light to conduct reconnaissance and maintain persistence in the compromised environment.

After successfully exfiltrating data, attackers deployed ransomware to encrypt and disable the victim’s systems. In addition to primarily targeting Windows systems, Akira ransomware affiliates also rely on Linux variants, including the one for VMware ESXi virtual machines. In the latest attack, Akira ransomware maintainers might be associated with Linux-based users due to indicators like DNS queries to a domain linked to Remmina, an open-source remote desktop client. In this offensive campaign targeting a Latin American airline attackers exploited an unpatched Veeam backup server by weaponizing a CVE-2023-27532 vulnerability. In the previous attacks, Akira operators infiltrated systems by abusing other vulnerabilities and zero-day flaws, including CVE-2020-3259 and CVE-2023-20269.

Akira has been active since early spring 2023, operating as a RaaS and leveraged by the notorious hacking group Storm-1567 (also known as Punk Spider and GOLD SAHARA). The group is behind developing and maintaining the Akira ransomware along with the dedicated leak sites.

Akira ransomware maintainers often leverage double-extortion tactics, exfiltrating sensitive data before deploying ransomware, with the latest attack following the same behavioral pattern. This strategy pressures victims to pay quickly, as they risk public exposure of their stolen data.

Key TTPs associated with Akira ransomware include abusing legitimate software like open-source penetration testing tools and exploiting vulnerabilities in outdated or unpatched systems, including VPN software. The Akira group has attacked various industry sectors, targeting businesses and critical infrastructure worldwide. In April 2024, the FBI and CISA, in conjunction with the leading cybersecurity authorities, issued a joint CSA to distribute known IOCs and TTPs linked to the growing attacks by Akira ransomware maintainers, along with recommendations and mitigations to minimize the risks of intrusions. 

The ongoing escalation of ransomware threats consistently challenges cybersecurity defenders with new attack techniques and malicious tactics, increasing the need for advanced threat detection and hunting tools to proactively counter potential intrusions. The attack on a Latin American airline linked to the financially motivated Akira ransomware maintainers underscores the adversary readiness to target organizations in various regions, especially those with unpatched vulnerabilities, which encourages global organizations to look for innovative ways to strengthen their cybersecurity posture backed by collective industry expertise. SOC Prime’s complete product suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation equips security teams with a feasible solution that enables collective cyber defense against cyber attacks of any scale and sophistication.