Conti Hackers Work in Akira Ransomware Group

As mentioned above, Akira mainly attacks small and medium-sized businesses, and companies around the world become victims of the ransomware, although hackers focus on targets in the United States and Canada. The gang typically infiltrates target Windows and Linux systems through VPN services, especially if users have not enabled multi-factor authentication. To gain access to victims’ devices, attackers use compromised credentials, which they most likely buy on the dark web.

Once the system is infected, Akira seeks to delete backups that can be used to restore data, and then the ransomware encrypts files with specific extensions, adding the “.akira” extension to each of them. The ransom note that the attackers leave in the system is written in English, but contains many errors. In this message, the group claims that they do not want to cause serious financial damage to the victim, and the amount of the ransom will be determined based on the income and savings of the affected company. Usually Akira demands a ransom of between $200,000 and $4,000,000.

Experts point out that Akira uses “double extortion” tactics, not only encrypting victims’ data, but also stealing information from compromised systems before encryption. After that, the attackers threaten to publish or sell this data to other criminals if they do not receive a ransom.

The Akira ransomware is in many ways similar to the Conti ransomware that was shut down a year ago, the researchers said. The malware ignores the same types of files and directories, and uses a similar encryption algorithm. But it should be borne in mind that at the beginning of 2022, the Conti sources were made publicly available, and now the attribution of attacks has become more difficult.

Back in June, Avast researchers released similar data about Akira’s likely connection to Conti, saying that the creators of the new ransomware were at least “inspired by the leaked Conti source codes.”

There were other news upon Conti members’ activities past the group dissolution. Conti operators participated in attacks on Ukrainian companies. It’s worth noting that earlier this month, Avast released a free decryption tool for files affected by Akira attacks. So far, the tool only works on Windows, and after its release, the malware operators changed the encryption procedure to prevent free file recovery.

Arctic Wolf researchers, in turn, focused on blockchain analysis and found three suspicious transactions in which Akira users transferred more than $600,000 to Conti-related addresses. According to experts, two discovered wallets have previously been linked to the management of Conti, and one of them received payments from several families of extortionists.

The post Conti Members Are Back in Action as Part of Akira Ransomware appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Ransomware publishes data stolen from Cisco.

Lorenz has been active since at least 2021 and is engaged in the usual double extortion: not only encrypting the files on the machines of its victims, but also stealing the data of the affected companies, and then threatening to release them if they do not receive a ransom.

Last year, the group was credited with an attack on the EDI provider Commport Communications, and this year, researchers have recorded Lorenz activity in the US, China and Mexico, where hackers attacked small and medium-sized businesses.

As Arctic Wolf analysts now report, the hack group is exploiting the CVE-2022-29499 vulnerability, discovered and patched in June 2022. This bug in Mitel MiVoice VoIP devices allows remote arbitrary code execution (RCE) and the creation of a reverse shell on the victim’s network.

Mitel VoIP solutions are used by organizations and governments in mission-critical sectors around the world. According to information security expert Kevin Beaumont, there are currently more than 19,000 devices open to attacks over the Internet.

Read also our article on Methods Hackers Use to Infect You Ransomware.

In general, Lorenz’s tactics are similar to those described in the report of the CrowdStrike company, which discovered this bug and monitored the ransomware that used it. So, after the initial compromise, Lorenz deploys a copy of the Chisel open-source tool for TCP tunneling on the affected company’s network and uses it to move sideways.

At the same time, Arctic Wolf experts note that after a Mitel device is compromised, hackers wait about a month, and only then begin to develop their attack further.

The researchers write that hackers use well-known and widely used tools to create a dump of credentials and subsequent reconnaissance. The grouping then begins lateral movement using compromised credentials (including those from a hacked domain administrator account).

Before encrypting the victim’s files, Lorenz steals information using the FileZIlla file-sharing application. BitLocker is used to encrypt the victim’s files afterwards.

The post Lorenz Ransomware Penetrates Company Networks through Mitel VoIP Products appeared first on Gridinsoft Blog.