CERT-In warns against ‘Akira’ ransomware; All you need to know

India’s nodal cyber security agency, Indian Computer Emergency Response Team (CERT-In), has on Monday, cautioned against a new ransomware named ‘Akira’, a malicious software which is designed to infiltrate Windows and Linux-based systems.

This family of ransomware, first used in cybercrime attacks in March compromises sensitive information by encrypting data on their systems and conducts double extortion to force the victim into paying the ransom, the nodal agency said.

The ransomware group is known to access victim environments via virtual private network (VPN) services, especially where users have not enabled multi-factor authentication. In the encryption phase, the ransomware terminates active Windows services using the Windows Restart Manager API. This step prevents any interference with the encryption process.

The ransomware encrypts files found in various hard drive folders, excluding the ProgramData, Recycle Bin, Boot, System Volume Information, and Windows folders. This group has also utilised tools such as AnyDesk, WinRAR, and PCHunter during intrusions.

Amit Jaju, Senior Managing Director, Ankura Consulting Group (India), an advisory firm, said that Akira uses a double extortion tactic, which is becoming increasingly common among cybercriminals.

“Not only is the data encrypted, making it inaccessible to the victims, but it's also threatened to be released publicly on the dark web if the ransom isn't paid, leading to further damage, including reputational harm and potential regulatory penalties for data breaches,” he added.

To be sure, another ransomware by the same name emerged in 2017. The old Akira Ransomware, which was found to have no connection with the recent one, is an encryption ransomware Trojan, used to trick inexperienced computer users. These Trojans are used to carry out a tactic that consists of encrypting the victim's files, making them unusable.

Ransomware attacks now make up a chunk of all recorded security incidents. According to the annual Verizon Data Breach Investigations Report, released in June 2023 by technology firm Verizon, the cost per ransomware incident doubled over the past two years.

“We have noticed the doubling of the cost of ransomware incidents in the last two years. The median loss more than doubled from last year to $26,000, with 95% of incidents costing between $1 and $2.25 million. We see this in India, where similar attacks have increased across all industries, with the human element being a major factor,” Anshuman Sharma, Associate Director CSIRT & Investigative Response, APJ, Verizon Business, told Tech Circle on 6 June.

Further, cybersecurity firm Sophos’ annual “State of Ransomware” report, released in May, observed that three-fourth (73%) of Indian organisations were hit by ransomware last year, up from 57% in 2021. In comparison, 66% of global companies said that their organisation had experienced a ransomware attack in the last twelve months. The report found that exploited vulnerabilities (35%) and compromised credentials (33%) were the most common causes of attacks.

According to the Sophos report, Indian organisations incurred an average bill of $1.03 million after a ransomware attack. Around 85% of organisations in the private sector reported loss of business or revenue after a ransomware attack.

To safeguard against Akira and other ransomware incidents, CERT-In strongly advised users to adopt fundamental online hygiene and protection protocols. Experts also emphasised the importance of implementing a robust password policy, as employing strong and unique passwords for all their online accounts, makes it harder for cybercriminals to gain unauthorised access.