Akira Ransomware: Lightning-Fast Data Exfiltration in 2-ish Hours

Akira ransomware actors are now capable of squirreling away data from victims in just over two hours, marking a significant shift in the average time it takes for a cybercriminal to move from initial access to information exfiltration.

That's the word from the BlackBerry Threat Research and Intelligence Team, which today released a breakdown of a June Akira ransomware attack on a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor, using Secure Shell (SSH) protocol, gained initial access via an unpatched Veeam backup server, and immediately set about heisting information before deploying the Akira ransomware the next day.

The likely culprit is Storm-1567 (aka Punk Spider and Gold Sahara), a prolific user of the Akira ransomware-as-a-service (RaaS) platform and the group that maintains the Akira leak site, according to the report. The gang is known for using double-extortion tactics, and has attacked more than 250 organizations across numerous industry verticals globally since emerging from the shadows in March 2023. It mainly sets its sites on Windows systems, but has developed Linux/VMware ESXi variants as well, and has consistently shown a high level of technical prowess.

The Speedy Unfolding of a Ransomware Attack

In the LatAm airline attack, once Storm-1567 gained access to the Veeam backup server (likely via CVE-2023-27532), it almost immediately began the process of siphoning off data, because its initial entry point was a juicy plum filled with potentially sensitive data; the group didn't have to move laterally to find what they were looking for.

"Veeam servers are overwhelmingly popular targets due to their tendency to store credentials [and other data]," says Ismael Valenzuela, vice president of threat research and intelligence at BlackBerry. "Past incidents, such as those involving FIN7, underscore their attractiveness to cybercriminals. According to Veeam itself, 93% of cyberattacks target backup storage, highlighting their vulnerability."

During this particular attack, the gang accessed backup data within the Veeam backup folder, including documents, images, and spreadsheets, in a bet that the trove would contain confidential and valuable information that could be held for ransom, according to BlackBerry.

During the theft, Storm-1567 abused a number of legitimate tools and utilities, "living off the land" to covertly carry out reconnaissance, establish persistence, and carry the data out of the environment.

"Once inside the network, the threat actor created a user named 'backup' and added themselves to the Administrator group to gain a foothold in the environment," according to the report. "Next, the attacker installed the legitimate network management tool Advanced IP Scanner before scanning the local subnets discovered via 'route print.' Finally, the data was exfiltrated via WinSCP, a free file manager for Windows."

The whole operation took just 133 minutes, after which the attackers downed tools for the day (interestingly, right at 4:55 pm GMT/UTC, suggesting the group might be based in Western Europe, BlackBerry noted). But they returned the next day (at the reasonable start time of 8:40 pm GMT/UTC) to move deeper into the network and deploy the actual ransomware.

"The attacker conducted user checks on a handful of machines before logging into the primary Veeam backup server," according to the report. "Netscan was downloaded … using Google Chrome, and WinRAR was used to decompress it. Active Directory connected machines were identified and added to a file called 'AdComputers.csv.'"

Meanwhile, Storm-1567 disabled antivirus (AV) protection on the virtual machine (VM) host, used the legitimate remote desktop software AnyDesk to connect to other systems on the network, exploited various unpatched bugs throughout the environment, destroyed any backup copies they found that would make recovery easier, pilfered additional bits of data (like a RAR file from the main Web server), and finally downloaded the Akira ransomware to the Veeam machine.

"Now that persistence was fully in place, the threat actors attempted to deploy ransomware network-wide using the Veeam backup server as the control point," according to BlackBerry. "We saw the file 'w.exe' — Akira ransomware — being deployed across various hosts from the compromised Veeam server."

Time-to-Exfiltration Keeps Shrinking

The ransomware deployment notably didn't take very long (less than eight hours once the attackers started their day), but the ultra-speedy data-exfiltration effort should be even more of a wake-up call to organizations, as it highlights what has been an ongoing shrinking of the time-to-exfiltration event horizon.

According to Palo Alto Networks' 2024 Unit 42 Incident Response report, the median time it takes to go from compromise to data exfiltration was nine days in 2021; that plummeted to two days last year; and in almost half (45%) of cases this year, it was just under 24 hours.

That trend line is of course worrying; for cyber defenders, responding to a compromise and thwarting data theft in less than 24 hours is challenging at the best of times — to do it in two hours and change might be impossible. And eventually, organizations may soon not have the luxury of time at all; the vaults will be emptied before any alarms even go off.

The best and perhaps only strategy then, according to Valanzuela, is to shore up defenses.

"Implementing a robust security architecture, incorporating a zero-trust framework beginning with understanding potential adversaries, is crucial," he says. "Fundamental practices such as meticulous perimeter patching are essential, recognizing its vulnerability as a primary target for attackers."

Failure to do was likely a key contributor to the rapid data exfiltration the airline suffered: "Notably, this incident highlights that the attack vector does not necessarily involve a zero-day exploit," Valanzuela added.

Other basic hygiene steps will also become increasingly important in light of how quickly data thieves are starting to move. For instance, "the service data [of the airline] was exfiltrated through an ephemeral port, indicating that implementing basic port access restrictions could have increased the difficulty of such exfiltration attempts," Valanzuela pointed out.