All news with #akira tag

🔒 Halcyon warns that the Akira ransomware group can complete a full attack lifecycle in under an hour, often exploiting vulnerabilities in internet-facing VPN and backup appliances where multi-factor authentication is absent. The group supplements exploits with credential theft, spearphishing, password spraying and initial access brokers, then exfiltrates data before encryption in a double-extortion model. Akira favors stealth and living-off-the-land tools (FileZilla, WinRAR, WinSCP, RClone) to stage and encrypt data; organizations should adopt layered defenses, harden third-party access, monitor for exfiltration and deploy dedicated anti-ransomware protections.

🔐 The Akira ransomware group claims it breached Bremen-based steel trader Buhlmann Group and exfiltrated roughly 55 gigabytes of sensitive data, according to a darknet post. Buhlmann has not issued an official corporate statement; a company spokeswoman told local outlet buten un binnen that a U.S. subsidiary's IT system was compromised. The company says its German and EU operations are not affected.

🔒 Hypervisors are increasingly attractive targets for ransomware because a single host compromise can expose dozens or hundreds of VMs. Huntress Labs reports hypervisor ransomware involvement jumped from 3% to 25% in the second half of 2025, with the Akira group a major driver. The article urges treating hypervisor security with the same rigor as endpoints: strict access controls, runtime hardening, timely patching, and immutable backups. It also recommends improved monitoring, SIEM integration, and annual recovery drills to ensure rapid restoration.

🔒 Ideal Group has reported a cyberattack that forced several systems offline as a precaution, leaving business operations running in a limited capacity. The group's affiliate Ahorn AG is affected while subsidiary myLife Lebensversicherung reportedly remains unaffected. The ransomware group Akira is blamed; investigators and external specialists, together with law enforcement, are analysing the incident and currently report no indications of customer data misuse.

🛡️ Shanya is a packer-as-a-service used by multiple ransomware gangs to conceal payloads that disable endpoint detection and response (EDR) tools. The service returns a custom, encrypted wrapper that decrypts and decompresses the payload entirely in memory and inserts it into a memory-mapped copy of shell32.dll, avoiding disk artifacts. Sophos telemetry links Shanya-packed samples to Medusa, Qilin, Crytox and Akira, and notes techniques that crash user-mode debuggers and facilitate DLL side-loading to deploy EDR killers.

🔍 In his November roundup, ESET Chief Security Evangelist Tony Anscombe highlights major cybersecurity developments that warrant attention. He draws attention to Wiz's finding that API keys, tokens and other sensitive credentials were exposed in repositories at several leading AI companies, and to a joint advisory revealing the Akira ransomware group's estimated $244 million takings. Tony also flags privacy concerns around X's new location feature, outlines how Australia intends to enforce a proposed under‑16 social media ban, and notes a Europol/Eurojust operation that disrupted malware families including Rhadamanthys.

🛡️ A Reliaquest analysis of June–October incidents links multiple Akira ransomware intrusions to compromised SonicWall SSL VPNs that were inherited through acquisitions. In nearly every case, acquiring organizations did not know the devices remained on their networks and attackers leveraged legacy administrative credentials. The report warns that routine financial due diligence misses such cyber risks, and urges early security-led inventory, segmentation, and credential rotation during M&A onboarding.

🔐 Beazley's Q3 2025 analysis shows ransomware activity rose, with three groups — Akira, Qilin and INC Ransomware — responsible for 65% of leak posts and an 11% increase in leaks versus the prior quarter. Initial access increasingly relied on valid VPN credentials (48% of incidents, up from 38%), with external service exploits accounting for 23%. The report highlights an Akira campaign abusing SonicWall SSLVPNs via credential stuffing where MFA and lockout controls were absent, and warns that stolen credentials and new infostealer variants like Rhadamanthys are fuelling the underground market. Beazley urges adoption of comprehensive MFA, conditional access and continuous vulnerability management to mitigate risk.

🔒 An employee clicking a fake CAPTCHA (a ClickFix social-engineering lure) on a compromised car dealership site began a 42-day intrusion by Howling Scorpius that delivered the .NET remote access Trojan SectopRAT and ultimately Akira ransomware. Two enterprise EDRs recorded activity but produced few alerts, enabling lateral movement, privilege escalation and the exfiltration of roughly 1 TB. Unit 42 deployed Cortex XSIAM, rebuilt hardened infrastructure, tightened IAM controls and negotiated about a 68% reduction in the ransom demand.

⚠️CISA, the FBI and international partners warn that the Akira ransomware gang has extended its attack surface beyond Windows, VMware ESXi and Hyper‑V to now target Nutanix AHV and Linux servers. The group exploits exposed VPNs, unpatched network appliances and backup platforms, rapidly exfiltrates data and employs a double‑extortion model. Akira uses tunneling tools like Ngrok, remote‑access abuse (AnyDesk, LogMeIn), and cryptography (ChaCha20 with RSA) to encrypt and leak files. Organizations should prioritize MFA, timely patching, segmented networks and protection of backup and hypervisor consoles.

🔒 A joint US and international advisory on 14 November attributes approximately $244.17m in illicit proceeds to the Akira ransomware group since late September 2025. The advisory reports rapid data exfiltration in some incidents and details exploitation of SonicWall CVE-2024-40766, expansion to Nutanix AHV disk encryption, and attacks leveraging SSH and unpatched Veeam servers. Operators employ initial access brokers, tunnelling tools and remote access software such as AnyDesk to persist and evade detection. Organisations are urged to prioritise patching, enforce phishing-resistant MFA, and maintain offline backups.

🛡️ U.S. cybersecurity agencies warn that the Akira ransomware operation has expanded to encrypt Nutanix AHV virtual machine disk files, with the first confirmed incident in June 2025. Akira Linux encryptors have been observed targeting .qcow2 virtual disk files directly rather than using AHV management commands. The advisory cites exploitation of SonicWall CVE-2024-40766 and includes new IOCs and mitigation recommendations.

🔐 CISA and partner agencies published an updated advisory on Nov. 13, 2025, detailing new indicators, tactics, and detection guidance related to Akira ransomware. The update documents expanded targeting across Manufacturing, Education, IT, Healthcare, Financial, and Food and Agriculture, and links activity to groups such as Storm-1567 and Punk Spider. Key findings include exploitation of edge and backup vulnerabilities, use of remote management tools for defense evasion, and a faster, more destructive Akira_v2 variant that complicates recovery.

🛡️ CISA, FBI, DC3, HHS and international partners released updated guidance to help organizations mitigate the evolving Akira ransomware threat. The advisory details new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by the group, which primarily targets small and medium-sized businesses but has also struck larger organizations across multiple sectors. It strongly urges immediate actions such as regular backups, enforcing multifactor authentication, and prioritizing remediation of known exploited vulnerabilities.

🔒 The Apache Software Foundation says there is no evidence that Apache OpenOffice was breached after the Akira ransomware gang claimed on October 30 that it had stolen 23 GB of corporate documents. The Foundation notes it does not maintain payroll-style employee records or the types of financial and identity documents described, and it has not received a ransom demand. An internal investigation so far has found no compromise and Akira has not published any of the alleged data.

🔒 CrowdStrike's 2025 European Threat Landscape Report found a 13% year-on-year rise in ransomware victims across Europe, with the UK hardest hit. The study, covering leak sites from September 2024 to August 2025, identified 1,380 victims and noted that since January 2024 more than 2,100 organisations were named on extortion sites, with 92% involving file encryption and data theft. The report highlights Akira and LockBit as the most active groups and warns of persistent big-game hunting, growing vishing campaigns and an emerging Violence-as-a-Service threat landscape.

🔒 Security experts warn of a sharp increase in activity from Akira ransomware operators targeting SonicWall SSL VPN appliances, with intrusions traced to late July. Arctic Wolf links initial access to exploitation of CVE-2024-40766 and describes rapid credential harvesting that can enable access even to patched devices. Observed traces include hosting-provider-origin VPN logins, internal scanning, Impacket SMB activity and Active Directory discovery; organizations are advised to monitor hosting-related ASNs, block VPS/anonymizer logins and watch for SMB session patterns consistent with Impacket to detect and disrupt attacks early.

🔐Akira ransomware operators are successfully authenticating to SonicWall SSL VPN accounts even when one-time password (OTP) multi-factor authentication is enabled. Arctic Wolf links the logins to credentials and OTP seeds harvested via an improper access control flaw tracked as CVE-2024-40766, and notes attackers can reuse those secrets after devices are patched. Once inside, actors rapidly scan internal networks, harvest backup server credentials, and use techniques such as BYOVD to sideload vulnerable drivers and disable protections. Administrators are urged to install the latest SonicOS (recommended 7.3.0) and reset all SSL VPN credentials immediately.

🔒 KNP Logistics Group, a 158-year-old UK transport firm, collapsed after the Akira ransomware group accessed an employee account by guessing a weak password. Attackers bypassed protections by targeting an internet-facing account without MFA, deployed ransomware across the estate, and destroyed backups, halting operations across 500 trucks and precipitating administration and 700 job losses. The incident underscores the urgent need for strong password policies, MFA, and isolated, tested backups.

🚨 The Australian Cyber Security Centre has observed increased exploitation of SonicWall SSL VPNs by the Akira ransomware group, leveraging CVE-2024-40766. The vulnerability, patched over a year ago, affects SonicWall Gen 5 and Gen 6 appliances and Gen 7 devices running SonicOS 7.0.1-5035 and earlier. Organisations remain at risk if they did not both install firmware updates and immediately rotate administrative credentials after migration. Security vendors Rapid7 and Recorded Future report automated intrusions tied to this issue; operators are advised to patch, reset passwords, restrict VPN access and enable robust MFA.