Ransomware Attacks Now Strike in Under an Hour
▼ Summary
– The Akira ransomware group can complete all attack stages in under four hours, sometimes in less than one hour.
– It typically gains initial access by exploiting VPN and backup software vulnerabilities, especially those without multi-factor authentication.
– The group uses stealthy methods like intermittent encryption and living-off-the-land tools to avoid detection during data theft and encryption.
– Akira is a sophisticated operation, suspected to include former Conti hackers, and has reportedly generated up to $244 million.
– Security experts recommend organizations implement layered defenses, including patching vulnerabilities and enabling MFA, to mitigate such threats.
Security experts are raising alarms about a dramatic acceleration in ransomware operations, with new data showing some attacks now unfold in less than sixty minutes. The Akira ransomware group has been observed completing its entire attack chain within this compressed timeframe, marking a significant escalation in the speed of these threats. This rapid execution leaves defenders with an extremely narrow window to detect and respond before critical systems are compromised.
The group typically gains its initial foothold by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, particularly those not secured with multi-factor authentication (MFA). While they have historically targeted products from vendors like SonicWall, Veeam, and Cisco, their methods are not limited to software flaws. Akira also employs credential theft, spearphishing campaigns, and password spraying techniques, and has been known to purchase access from initial access brokers. The group is considered highly sophisticated, with researchers suspecting its ranks include former members of the notorious Conti operation.
Once inside a network, Akira follows a double-extortion model, systematically exfiltrating sensitive data before deploying encryption. To avoid raising alarms, the actors first work to disable security tools. They then leverage common, trusted applications already present in the environment, a tactic known as living-off-the-land. Tools like FileZilla, WinRAR, and RClone are repurposed for data staging and the encryption process itself, making malicious activity harder to distinguish from normal operations.
This focus on stealth is central to Akira’s speed. The group is described as more covert and less overtly aggressive than some rivals, using zero-day exploits and stolen credentials to move quietly. A key technique is intermittent encryption, where only a small percentage of a file’s data is scrambled. By setting this encryption rate as low as one percent, Akira can rapidly push its ransomware across all devices in a network, maximizing disruption in a very short period. This disciplined approach, combined with investment in reliable decryption infrastructure, has made the group exceptionally effective. Since its emergence in early 2023, US officials estimate Akira has extorted approximately $244 million from victims.
To defend against such fast-moving threats, organizations must implement layered defenses. Proactive measures are essential, starting with the prompt patching of all VPN and backup systems. Enforcing MFA universally, especially for remote access, is a critical barrier. Network segmentation can help contain the lateral movement of attackers, while robust, offline backup solutions ensure data can be restored without paying a ransom. Continuous monitoring for unusual file activity or the misuse of legitimate administrative tools is also vital to identify an incursion during its earliest stages.
(Source: Infosecurity Magazine)
