The Finish National Cyber Security Center (NCSC-FI) has notified us of an increase in Akira ransomware activity targeting businesses across the country and erasing their backups in December.
According to the agency, six of the seven ransomware incidents reported last month were the result of attacks by this attacker.
Erasing backups increases the damage of the attack and removes the option of restoring data without paying a ransom, allowing attackers to put further pressure on victims.
Small organizations often use network attached storage (NAS) devices for this purpose, but the Finnish government agency emphasizes that these systems were not immune to the Akira ransomware attack.
The attackers also targeted tape backup devices, which are typically used as secondary systems to store digital copies of data.
“In each case, great care has been taken to destroy the backups, and the attackers have actually gone to great lengths to do so,” the machine-translated version of the notice reads.
“Network-attached storage (NAS) devices and automated tape backup devices commonly used for backups have been compromised and emptied, resulting in the loss of all backups in almost all cases that we are aware of.” government agencies report.
NCSC-FI suggests that organizations instead switch to using offline backups and distribute copies to different locations to protect them from unauthorized physical access.
“For your most important backups, we recommend following the 3-2-1 rule. That is, keep at least three backups in two different locations, and keep one of these copies completely disconnected from your network. – Olli Horno, NCSC-FI
Compromised via Cisco VPN
According to the Finnish government agency, the Akira ransomware attack exploited vulnerability CVE-2023-20269, which affects the VPN functionality of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) products. It appears that the network was accessed.
This vulnerability allows an unauthorized attacker to perform a brute force attack and discover existing user credentials in the absence of login protection such as multi-factor authentication (MFA).
CVE-2023-20269 was recognized as a zero-day by Cisco in September 2023, and a fix was released the following month. However, security researchers reported that Akira ransomware has been exploited for access since early August 2023.
Observed post-compromise activities include mapping networks, targeting backups and critical servers, stealing usernames and passwords from Windows servers, encrypting critical files, especially virtualization using VMware products. Includes disk encryption for virtual machines on the server.
To avoid attacks that exploit this vulnerability, we strongly recommend that organizations upgrade to Cisco ASA 9.16.2.11 or later and Cisco FTD 6.6.7 or later.