Finland warns of Akira ransomware wiping NAS and tape backup devices

The Finish National Cybersecurity Center (NCSC-FI) is informing of increased Akira ransomware activity in December, targeting companies in the country and wiping backups.

The agency says that the threat actor's attacks accounted for six out of the seven cases of ransomware incidents reported last month.

Wiping the backups amplifies the damage of the attack and allows the threat actor to put more pressure on the victim as they eliminate the option of restoring the data without paying a ransom.

Smaller organizations often use network-attached storage (NAS) devices for this purpose, but the Finnish agency highlights that these systems were not spared in Akira ransomware attacks.

The attackers also targeted tape backup devices, which are typically used as a secondary system for storing digital copies of the data.

“In all cases, efforts have been made to meticulously destroy backups, and the attacker indeed goes to great lengths for this,” reads a machine-translated version of the notification.

“Network-Attached Storage (NAS) devices often used for backups have been broken into and emptied, as well as automatic tape backup devices, and in almost all cases we know of, all backups were lost,” the agency informs.

The NCSC-FI suggests that organizations switch to using offline backups instead, spreading the copies across various locations to protect them from unauthorized physical access.

“For the most important backups, it would be advisable to follow the 3-2-1 rule. That is, keep at least three backups in two different locations and keep one of these copies completely off the network.” - Olli Hönö, NCSC-FI

Breached via Cisco VPNs

The Finnish agency says the Akira ransomware attacks gained access on the victims’ network after exploiting CVE-2023-20269, a vulnerability that affects the VPN feature in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) products.

The vulnerability allows unauthorized attackers to carry out brute force attacks and find the credentials of existing users, where there is no login protection such as multi-factor authentication (MFA).

CVE-2023-20269 was acknowledged by Cisco as a zero-day in September 2023 and fixes were released the following month. However, security researchers reported since early August 2023 that Akira ransomware had been leveraging it for access.

The observed post-compromise activity includes mapping the network, targeting backups and critical servers, stealing usernames and passwords from Windows servers, encrypting important files, and encrypting disks of virtual machines on virtualization servers, particularly those using VMware products.

To avoid attacks that exploit this vulnerability, organizations are strongly recommended to upgrade to Cisco ASA 9.16.2.11 or later and Cisco FTD 6.6.7 or later.

Related Articles:

Tietoevry ransomware attack causes outages for Swedish firms, cities

The Week in Ransomware - January 26th 2024 - Govts strike back

BlackCat ransomware shuts down in exit scam, blames the "feds"

BlackCat ransomware turns off servers amid claim they stole $22 million ransom

The Week in Ransomware - March 1st 2024 - Healthcare under siege