Patch Now or Pay Later: Urgent Warning Issued for Akira Ransomware

The National Cyber Security Centre of Finland (NCSC-FI) is issuing a warning about the increased activity of the Akira ransomware. According to the center, this past December witnessed hackers successfully carrying out six of seven recorded attempts using this ransomware, targeting several local companies.

A notable feature of these attacks was the destruction of data backups, effectively depriving the victims of any possibility of restoring their information without paying a ransom, thereby intensifying the pressure on those affected. The perpetrators attacked both Network Attached Storage (NAS) devices and tape storage used for archiving. Experts at NCSC-FI noted, “The criminals meticulously destroyed all backups.”

As a protective measure, the center recommends the use of offline backup storage, keeping copies in multiple locations. “For the most crucial backups, it would be prudent to follow the 3-2-1 rule. That is, maintain at least three backup copies in two different places, with one completely disconnected from the network,” stated Olli Hönö from NCSC-FI.

According to NCSC-FI, the breaches occurred through the exploitation of the vulnerability CVE-2023-20269 in Cisco products. This allowed the attackers to perform brute-force attacks and acquire existing user passwords.

Cisco acknowledged this vulnerability in September 2023, although researchers had recorded initial attacks as early as August. After penetrating the network, the hackers created a detailed map, identified critical servers and backup systems, stole credentials from servers, and then encrypted vital files and virtual machine disks, particularly on the VMware platform.

To avoid falling victim to the same vulnerability, NCSC-FI strongly recommends updating Cisco ASA to version 9.16.2.11 or later, and Cisco FTD to version 6.6.7 or higher.