FBI Flags Akira Ransomware as Top Threat to US Critical Infrastructure in 2024
Executive Summary
In September 2024, federal cyber authorities, including the FBI and CISA, issued a joint advisory detailing the significant threat posed by the Akira ransomware group. First identified in March 2023, Akira employs double-extortion tactics—stealing sensitive data before encrypting systems—to pressure victims for ransom. The group is associated with additional threat actors and has links to the former Conti operation. Akira has accumulated over $244 million in illicit proceeds by targeting small and medium-sized businesses, impacting sectors such as manufacturing, education, healthcare, IT, finance, and agriculture. The group leverages known vulnerabilities in critical infrastructure software, exploits stolen credentials, and uses remote access tools to compromise organizations, often exfiltrating data in just over two hours.
The FBI considers Akira among its top five most consequential ransomware variants, reflecting a broader trend of increasingly sophisticated, fast-moving, and costly ransomware attacks. Recent activity highlights the group’s adaptability and operational security, reinforcing the urgent need for organizations to harden defenses as ransomware tactics evolve.
Why This Matters Now
Akira’s surge demonstrates how rapidly ransomware actors can exploit newly disclosed vulnerabilities, often targeting critical infrastructure and essential services. Given Akira’s speed, shifting tactics, and the significant financial and operational fallout highlighted in recent advisories, immediate action is vital for organizations to update controls, patch systems, and improve detection.
Attack Path Analysis
The Akira ransomware attack began with the exploitation of vulnerable internet-facing services and stolen credentials to gain initial access. Attackers escalated privileges by leveraging remote access tools and account creation, then moved laterally across internal networks, targeting multiple cloud workloads and on-prem systems. They established command and control through persistent access channels, enabling data staging. Sensitive files were rapidly exfiltrated, often within hours, using encrypted outbound channels before deploying ransomware to encrypt critical systems and demand payment, causing business disruption.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited vulnerabilities (such as VPN/firewall CVEs) and abused stolen credentials to gain unauthorized access to cloud and enterprise environments.
Related CVEs
CVE-2020-3259
CVSS 7.5A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device.
Affected Products:
Cisco Adaptive Security Appliance (ASA) Software – 9.6, 9.7, 9.8, 9.9, 9.10, 9.12
Cisco Firepower Threat Defense (FTD) Software – 6.2.2, 6.2.3, 6.3.0, 6.4.0
Exploit Status:
exploited in the wildCVE-2023-20269
CVSS 7.5A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device.
Affected Products:
Cisco Adaptive Security Appliance (ASA) Software – 9.6, 9.7, 9.8, 9.9, 9.10, 9.12
Cisco Firepower Threat Defense (FTD) Software – 6.2.2, 6.2.3, 6.3.0, 6.4.0
Exploit Status:
exploited in the wildCVE-2024-40766
CVSS 9.8A vulnerability in SonicWall's SSL VPN Virtual Office portal allows an unauthenticated, remote attacker to execute arbitrary code on the affected device.
Affected Products:
SonicWall SSL VPN Virtual Office – 9.0.0.0, 9.0.0.1, 9.0.0.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
External Remote Services
Exploit Public-Facing Application
Scheduled Task/Job: Scheduled Task
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder
Indicator Removal on Host: File Deletion
Exfiltration Over C2 Channel
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Remote Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 10
CISA Zero Trust Maturity Model 2.0 – Continuous verification of identity, credentials, and access
Control ID: Identity Pillar - Authentication
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
ISO/IEC 27001:2022 – Management of technical vulnerabilities
Control ID: A.8.16
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Critical ransomware exposure through vulnerable Cisco firewalls and VPNs, with HIPAA compliance violations risking patient data encryption and two-hour exfiltration timelines.
Financial Services
High-value target for Akira's double-extortion model exploiting VMware ESXi and SonicWall vulnerabilities, threatening encrypted traffic and zero trust segmentation requirements.
Higher Education/Acadamia
Specifically targeted sector vulnerable to credential theft and brute-force attacks through remote access tools like AnyDesk, compromising educational infrastructure and data.
Information Technology/IT
Primary attack vector through Veeam Backup vulnerabilities and Windows exploits, enabling lateral movement across multicloud environments and Kubernetes security breaches.
Sources
- FBI calls Akira ‘top five’ ransomware variant out of 130 targeting US businesseshttps://cyberscoop.com/akira-ransomware-fbi-cisa-joint-advisory/Verified
- CISA and Partners Release Advisory on Akira Ransomwarehttps://www.cisa.gov/news-events/alerts/2024/04/18/cisa-and-partners-release-advisory-akira-ransomwareVerified
- Akira, GOLD SAHARA, PUNK SPIDER, Howling Scorpius, Group G1024 | MITRE ATT&CK®https://attack.mitre.org/groups/G1024/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west controls, egress policy enforcement, and threat detection would have compartmentalized access, limited attacker spread, and blocked sensitive data exfiltration. CNSF controls provide strong visibility and inline enforcement at each phase, significantly constraining ransomware kill chains and reducing impact.
Control: Cloud Firewall (ACF)
Mitigation: Prevents exploitation of vulnerable public-facing services.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of suspicious account creation and anomalous privilege escalation.
Control: Zero Trust Segmentation
Mitigation: Stops unauthorized lateral movement between workloads and environments.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks command-and-control communications.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks data exfiltration and prevents unauthorized outbound traffic.
Contains ransomware blast radius and limits encryption spread.
Impact at a Glance
Affected Business Functions
- Manufacturing
- Education
- IT Services
- Health Care
- Financial Services
- Agriculture
Estimated downtime: 7 days
Estimated loss: $5,000,000
Sensitive customer and operational data, including personally identifiable information (PII) and proprietary business information, were exfiltrated and potentially exposed.
Recommended Actions
Key Takeaways & Next Steps
- • Apply strict Zero Trust segmentation and microsegmentation to isolate workloads and block lateral movement.
- • Enforce centralized egress policy controls to detect and prevent unauthorized outbound and exfiltration events.
- • Deploy continuous threat detection and anomaly response across all network layers to rapidly identify attacks.
- • Harden perimeter access with cloud-native firewalls and minimize public attack surface using least privilege policies.
- • Routinely audit credentials and monitor for unauthorized account creation or privilege escalation events.
