Akira ransomware attackers are wiping NAS and tape backups
“The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,” the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday.
NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations.
“Of the ransomware malware cases reported to the Cybersecurity Center in December, six out of seven involved Akira family malware,” they added.
Attackers’ tactics
The attackers pinpointed and targeted organizations with vulnerable internet-facing Cisco ASA or FTD devices and found and wiped target organizations’ backups before deploying the ransomware.
They got in either by using leaked credentials or identifying them via a brute force attack by exploiting CVE-2023-20269, a vulnerability affecting Cisco firewalls that’s due to improper separation of authentication, authorization, and accounting between the remote access VPN feature and the HTTPS management and site-to-site VPN features.
Apparently, those accounts weren’t additionally secured with multi-factor authentication.
Once in, they scanned the network, deleted backups and encrypted physical and virtual servers.
“In all cases, careful efforts have been made to destroy the backups, and the attacker makes an effort to achieve this,” the agency noted.
“NAS (network-attached storage) servers that are often used for backups on the network have been hacked and wiped, as have automatic tape backup devices, and in almost every case we know of, all backups have been lost.”
Recommendations
The NCSC-FI emphasizes the importance of implementing MFA to protect login credentials and upgrading Cisco devices to the available fixed versions.
They also recommend creating offline backups and storing them at different physical locations.
“For the most important backups, it would be advisable to follow the 3-2-1 rule. That is, keep at least three backups in two different places and keep one of these copies completely off the network,” NCSC-FI information security expert Olli Hönö pointed out.