Quick Takeaways
- Darktrace reports a surge in Akira ransomware attacks since July 2023, primarily exploiting the CVE-2024-40766 vulnerability in SonicWall VPN devices, affecting sectors like manufacturing, education, and healthcare globally.
- The attacks leverage known vulnerabilities, remote access services, and legitimate tools like RDP, WinRM, and administrative utilities to perform reconnaissance, lateral movement, and data exfiltration, often using double extortion tactics.
- A recent U.S. network incident demonstrated swift detection and containment by Darktrace’s MDR service, limiting data exfiltration to approximately 2 GiB and preventing further malicious activity.
- The campaign underscores the critical need for timely patching, vigilant security practices, and awareness of legitimate administrator tools being exploited for ransomware operations amid a rising diversity of threat actors.
Problem Explained
Recent research from Darktrace reveals that beginning in July 2023, the Akira ransomware group intensified its global assaults, primarily targeting SonicWall SSL VPN devices. These attacks, linked to a known vulnerability (CVE-2024-40766) that SonicWall had previously disclosed, involved malicious actors exploiting security weaknesses to gain remote access. Once inside, the hackers conducted reconnaissance, moved laterally across networks, escalated privileges, and exfiltrated data—culminating in the theft of approximately 2 GiB of information from a U.S. client’s network. Darktrace’s Security Operations Centre swiftly responded to these signs of intrusion, blocking malicious activity and preventing further damage, illustrating the importance of vigilant, real-time cybersecurity defenses. The campaign underscores how ransomware operators, like Akira, adapt by leveraging legitimate administrative tools such as WinRM and Remote Desktop Protocol to disguise their activities and evade detection, raising concerns about widespread vulnerabilities especially in critical sectors like manufacturing and healthcare across multiple regions including North America and Asia-Pacific.
The surge in Akira’s activity is part of a broader trend documented by GuidePoint Research, which found a 57% increase in active ransomware groups over the past year. These groups are diversifying their targets and methods, employing sophisticated tactics such as double extortion—where they threaten to release exfiltrated data unless paid—and exploiting known vulnerabilities or stolen credentials to infiltrate systems. Notably, newer, less established groups like SafePay are thriving by staying under the radar, complicating efforts for defenders who must stay perpetually vigilant. The rising frequency and complexity of these attacks highlight the urgent need for continuous security updates and vigilant network monitoring to mitigate the expanding threat landscape.
What’s at Stake?
Recent research highlights a significant escalation in cyber risks associated with the Akira ransomware campaign, which, since March 2023, has evolved into one of the most active and disruptive threats worldwide. Targeting primarily SonicWall SSL VPN devices and VMware ESXi hypervisors, Akira exploits known vulnerabilities—especially CVE-2024-40766—via remote access services like RDP and VPN, often leveraging stolen credentials and legitimate administrative tools such as WinRM to conceal malicious activity. Once inside, the ransomware performs reconnaissance, lateral movement, privilege escalation, and data exfiltration using protocols like FTP, SFTP, and cloud services, frequently employing double extortion tactics by encrypting files and threatening data release. Its broad targeting across sectors—including manufacturing, healthcare, and education—coupled with its sophisticated use of credential-harvesting techniques and remote management tools, underlines the critical importance of timely patching, strong security configurations, and vigilant monitoring. The campaign’s ability to blend into normal network operations increases the challenge for defenders, emphasizing that even well-maintained environments remain vulnerable without continuous, proactive security measures—a reality compounded by a 57% rise in active ransomware groups, which collectively threaten global infrastructure and commerce.
Possible Action Plan
Urgent Action Needed
Addressing the resurfacing of the old SonicWall vulnerability is crucial to prevent widespread exploitation, especially with threats like the Akira ransomware campaign leveraging such weaknesses to compromise systems. Prompt remediation helps safeguard sensitive data, maintain operational integrity, and prevent costly breaches.
Mitigation Steps
- Patch Implementation: Promptly apply the latest security patches from SonicWall to close known vulnerabilities.
- Vulnerability Scanning: Conduct thorough scans to identify affected devices and assess potential exposure.
- Network Segmentation: Isolate vulnerable devices within separate network segments to limit malware spread.
- Access Controls: Restrict administrative privileges and implement multi-factor authentication for network access.
- Monitoring: Increase real-time monitoring for unusual activities, particularly targeting known exploit techniques.
- Backup Verification: Ensure regular, secure backups of critical data are in place and test restoration procedures.
- User Awareness: Educate staff about phishing and social engineering tactics commonly associated with ransomware campaigns.
- Incident Response Plan: Review and update incident response strategies to ensure rapid action when threats are detected.
Advance Your Cyber Knowledge
Stay informed on the latest Threat Intelligence and Cyberattacks.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
