Akira Ransomware Aggressively Targets Healthcare, HC3 Warns

February 12, 2024 - The Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note about Akira ransomware, a group that has been active since at least May 2023. In its short tenure, Akira has conducted 81 cyberattacks, including some against healthcare organizations and other critical infrastructure sectors.

The analyst note marks HC3’s second warning about Akira in recent months. In September, HC3 issued a sector alert about Akira’s tactics, noting that its members had been observed leveraging compromised credentials and taking advantage of weaknesses in virtual private networks (VPNs).

HC3’s latest warning once again stressed Akira’s aggressive targeting of US-based entities. The group has been observed targeting a variety of other industries, including materials, manufacturing, goods and services, education, finance, legal, and construction.

“Open source reporting and analysis consistently shows the health sector being one of the top industries targeted by Akira,” HC3 stated.

Akira is suspected to be tied to the now-defunct Conti ransomware gang, which was also known for ruthlessly targeting healthcare organizations.

“The technical details of this include similarities in their exploitation approach, the selection of certain types of files and directories for targeting, their choice of application for encryption algorithms, their use of ransom payment addresses, and the incorporation of comparable functions,” HC3 noted.

“While any formal relationship or connection between the two groups has not been confirmed, such a connection could indicate a degree of sophistication to Akira’s operations, and reinforce the idea that they are highly capable and should be considered a serious threat.”

However, HC3 stressed that this iteration of Akira should not be confused with another ransomware variant called Akira, which was briefly observed in 2017.

Akira operates as a ransomware-as-a-service (RaaS) operation and often conducts double extortion by stealing sensitive data, deploying ransomware, and charging two fees. The first fee promises to restore encrypted systems, and the second fee pledges to ensure no leaks of stolen data. 

HC3 noted that Akira is “heavily reliant” on credential compromise for initial access to their target networks. As mentioned in its September brief, Akira typically targets Windows and Linux infrastructure.

The analyst note identified several known tactics and techniques used by Akira and provided a step-by-step graphic that illustrates an Akira attack. Network defenders can use these resources to understand Akira’s methods and prevent attacks.

HC3 directed healthcare organizations to leverage CISA, FBI, and HHS resources to mitigate risk. In addition, healthcare organizations should implement network segmentation, review domain controllers for unrecognized user accounts, and implement multi-factor authentication where possible. Akira has been known to target VPNs that are not protected by MFA.

“The Akira ransomware gang, despite having only operated for a short period of time, has proved to be a significant threat to the U.S. public and private health sectors. While many of the recommend defense and mitigation actions apply universally to most ransomware gangs, there are Akira-specific details in this alert which should also be implemented,” HC3 concluded.

“Finally, while the technical details and actions contained in this alert are up-to-date, it is also worth noting that cybercriminals, especially major ransomware operators such as Akira, evolve over time. It will be important for any healthcare organization that wishes to stay secure in cyberspace to keep up with Akira’s latest tactics, techniques and procedures (TTPs).”