SINGAPORE: Singapore authorities on Friday (Jun 7) issued an advisory about the Akira ransomware group and advised organisations against paying a ransom should they fall victim to an attack.
Instead, victims should immediately report the incident to the authorities, said the police, Cyber Security Agency of Singapore (CSA) and the Personal Data Protection Commission (PDPC).
Local law firm Shook Lin & Bok said in May that it was hit by a ransomware attack from the Akira group.
Suspectfile, an independent website that covers the ransomware phenomenon, reported that Shook Lin & Bok paid a ransom of US$1.4 million in Bitcoin.
The authorities said that they "do not recommend paying the ransom" when hit with a ransomware attack, and that companies should report such incidents immediately.
"Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data.
"Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims."
Akira ransomware first emerged in March 2023, with the threat group operating a "ransomware-as-a-service" model that targets both Windows and Linux operating systems.
The group provides its software and infrastructure to its affiliates - other cybercriminal groups - in exchange for a percentage of any ransom paid by victim organisations.
Businesses and organisations in sectors including education, finance, manufacturing, and healthcare around the world have been affected by the Akira threat group, the authorities said, adding that affiliates have been observed to be "indiscriminate" in their targets.
The proposed ransom amounts will also be based on a study of the victim organisations’ business profiles.
In the joint advisory, the authorities outlined how Akira works and provided a set of measures that organisations can use to avoid succumbing to the ransomware. This information was drawn from various sources including national CERT publications and threat intelligence reports. HOW AKIRA WORKS
Akria affiliates have been observed to use a range of techniques to gain initial access to a victim organisation's network. These include:
Exploiting known vulnerabilities, like a Cisco VPN service without multi-factor authentication (MFA) configured.
Brute-forcing external-facing services such as Remote Desktop Protocol.
Deploying social engineering campaigns to trick victims into downloading malicious software that obtains user credentials or inputting their credentials on phishing websites.
Using compromised credentials that may have been obtained by the affiliate from access brokers who sell access to corporate networks.
Akira affiliates can sometimes create a new domain account on the compromised system to establish persistence, which they can use to maintain a connection with a target system even when the machine is rebooted or shut down.
Through the use of numerous tools, affiliates can also glean users' credentials and use them for their own ends. They can additionally grant themselves higher-level access within an organisation's security system through privilege escalation.
Once inside, Akira users can gain knowledge about the victim's system and the connected network, which can be leveraged to spread to the rest of the network.
Sensitive company information will then be exfiltrated and encrypted. Commonly used tools such as WinRAR can be used for this, with its ability to split and compress data, said the authorities.
Once data exfiltration is completed, the Akira ransomware encrypts data runs commands to inhibit system recovery and leaves a ransom note behind.
The note typically includes a code unique to each victim, along with instructions to contact the affiliates on a TOR site, or a site on the dark web.
Ransom payments are usually demanded to be paid with Bitcoin. The TOR site also contains stolen information and a list of the affected organisations.
An example of a ransom note provided by the authorities shows how the hackers attempt to pressure organisations into paying the ransom quickly: "Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately."
"Keep in mind that the faster you will get in touch, the less damage we cause."
Organisations should enforce strong password policies requiring the use of strong passwords or passphrases requiring at least 12 characters with mixed composition- upper case letter, lower case letter, numbers and special characters.
They should also implement multi-factor authentication to minimise the risk of unauthorised access to all internet-facing services like VPNs and accounts that access critical systems.
Reputable anti-virus or anti-malware software can help to detect the presence of Akira or other ransomware variants, the authorities said. "This can be done through real-time monitoring of system processes, network traffic, and file activity for indicators of compromise typically associated with the malware."
The software can be configured to block the execution of suspicious files, prevent unauthorised remote connections, and restrict access to sensitive files and folders.
"Organisations should periodically scan their systems and networks for vulnerabilities and regularly update all operating systems, applications, and software by applying the latest security patches promptly, especially for functions critical to the business," said the police, CSA and PDPC.
Companies using older applications that are no longer supported by the developer should migrate to newer alternatives.
Segregating networks can also help control traffic flow between sub-networks, limiting the spread of ransomware. Organisations should also monitor their logs for any suspicious activities and carry out remediation measures where necessary.
Routine backups of important data should be conducted. The authorities recommended companies follow the 3-2-1 rule when performing backups: Keep three copies of backups, store them in two different media formats and store one set of backups off-site.
Conducting incident response exercises and developing business continuity plans can help improve an organisation's readiness for a ransomware attack, they added.
Retaining only essential data and minimising the collection of personal data will also keep the impact of a data breach to a minimum.