Akira Ransomware Makes a Play for VPNs Without Multi-Factor Authentication

Detecting Akira Ransomware

While the best course of action to prevent the current wave of Akira activity is to patch for the known VPN vulnerabilities, parsing out the timeline of events once the threat actor accesses the network identifies places where organization may be able to detect on and deters this activity before it leads to network encryption. A multi-layered defense in depth strategy is key to helping organizations maintain cyber resilience.

Initial access attempts leveraging external remote services may be detected earlier by maximizing log visibility for edge devices:

• Utilize network logs from technologies like RDP to enhance detection capabilities.
• Gather logs from edge networking technologies, firewalls, IDS/IPS, RDP, SSH and VPN.
• Implement centralized log management for streamlined analysis.
• Establish correlation rules to identify patterns indicative of suspicious activities.
• Monitor for multiple failed log-in attempts and brute-force attacks on edge devices.
• Regularly review and update logging configurations for relevance

For attackers that are not identified at access, Kroll typically sees the first stage of the intrusion focus on internal scouting. In this phase, they conduct reconnaissance within the network to identify and enumerate systems to help launch their attack. In the recently observed Akira campaign, threat actors leveraged legitimate tools such as AnyDesk and Netscan to help with network discovery. In this scenario, application whitelisting could help with detection:

• Alert on internal network discovery, especially for suspicious activities like dropping the Netscan binary.
• Be cautious of false positives, especially in areas with higher alerts, such as RDP and domain admin usage.
• Implement application whitelisting to control the execution of legitimate applications.
• Tighten controls on legitimate applications like AnyDesk, WinSCP and WinRar to prevent misuse.
• Use whitelisting to restrict the introduction of unauthorized binaries onto endpoints.

Once actors have gained a foothold into systems and conducted internal scouting, a next step is likely to be lateral movement. Kroll observes many ransomware actors leveraging RDP for such movement within the network, typically with a goal of escalating privileges into an account with domain administrator level privileges. Kroll recommends the following to detect such activity inside the network: 

• Monitor and alert on RDP usage, considering it as a potential source of network logs for detection.
• Flag the use of domain admin privileges, treating it as a critical security incident.
• Implement the principle of least privilege and break glass accounts to restrict and monitor high-level access.
• Consider disabling RDP or significantly limiting its use, especially if not essential for day-to-day activities.
• Scrutinize network traffic, especially the use of RDP, SSH and DNS, for potential threats.

The hands-on-keyboard objectives of threat actors like the Akira ransomware gang are focused on data theft and data encryption, which can be leveraged against the victim for financial extortion. Kroll has previously provided guidance on detecting exfiltration and recommends that organizations utilize endpoint monitoring tools such as EDR and next-gen antivirus for effective detection and deterrence.

Defending Against Akira: Key Steps

The similarities between ransomware variants provide opportunities for defenders to protect themselves against a number of different attackers by setting up overarching rules capable of detecting and defeating this type of activity. To defend against ransomware such as Akira, Kroll’s Cyber Threat Intelligence (CTI) team advise organizations to take the following next steps:

• Enforce MFA for VPN access - Phishing-resistant MFA such as FIDO is essential to prevent phishing attacks. FIDO security keys or authenticators are the only devices that are effective at preventing phishing attacks.
• Prioritize patching for vulnerabilities impacting VPN appliances.
• Enable risk profiling or conditional access policies for remote access. This can deny access to a user attempting to log in under suspicious circumstances, and it can also be configured to only allow limited access if the user's authentication context has elevated risk criteria.
• Enable role-based access control to enforce the principle of least privilege; only users requiring remote access to a resource should have it. Regularly audit access control policies to ensure only required access is provisioned.
• Ensure user accounts are not vulnerable to credential stuffing and password spraying by enforcing a banned password policy. The policy should ban passwords that are known to be weak or that contain company or organizational words or passwords that have been discovered in previous breaches.
• Undertake regular attack simulations to detect weaknesses in edge appliances and validate security controls and detection capabilities.