In June 2024, a Latin American airline suffered an Akira ransomware attack, with threat actors initially gaining unauthorized SSH access to exfiltrate critical data before deploying ransomware the following day.
The attackers leveraged legitimate tools and LOLBAS for reconnaissance and persistence, indicating potential Linux-based operations due to Remmina-related DNS queries, which aligns with the tactics of Storm-1567, a prominent ransomware group active since 2023.
Akira ransomware, operated by the Storm-1567 group since March 2023, employs double extortion, stealing data before encrypting systems to pressure victims for ransom payments.
Targeting various industries globally, the group had earned over $42 million from over 250 victims by January 2024, exploited vulnerabilities, leveraged open-source tools, and developed both Windows and Linux variants, including one targeting VMware ESXi.
Adversaries leveraged stolen credentials to access airline and transportation networks via SFTP using OpenSSH, while network scanning tools like NetScan and Advanced IP Scanner likely aided target identification.
Remote desktop software, AnyDesk, may have facilitated post-exploitation activities. Ransomware is suspected as the payload, indicating a financially motivated attack with the potential for severe operational disruption to targeted sectors.
The Akira ransomware actor exploited CVE-2023-27532 to compromise an unpatched Veeam backup server by escalating privileges, scanning the network with an Advanced IP Scanner, and exfiltrated data, including sensitive files, using WinSCP to a remote server within 133 minutes.
The attacker created a persistent presence by adding a “backup” user to the Administrator group and aligning with known Akira tactics, demonstrating rapid compromise and data theft.
The threat actor initiated an attack in the morning by using Impacket’s smbexec to check multiple machines before accessing the primary Veeam backup server, and then downloaded and executed Netscan to identify Active Directory-connected machines, saving the results in “AdComputers.csv.”.
Antivirus software was disabled on the virtual machine host, and the Akira ransomware, contained within “win.zip” and disguised as “w.exe,” was downloaded, extracted, and copied to the VM host.
The attackers enumerated domain users using ‘net group’ and ‘net user’ commands, then manipulated user accounts and installed AnyDesk for persistent remote access on five systems.
Subsequently, Akira ransomware was deployed from a compromised Veeam server across the network, while PowerShell was used to remove shadow copies, hindering data recovery and increasing pressure on victims to pay the ransom.
According to BlackBerry, endpoint logs indicate a Linux-based threat actor leveraged Remmina for remote access and WinSCP to exfiltrate data to IP address 77[.]247[.]126[.]158, which remains active.
While the attacker’s public IP is missing, DNS queries to “plugins.remmina.org” and the use of WinSCP strongly suggest Linux-based remote access and data exfiltration.