The Akira Ransomware Group and the Scripps Health Ransomware Attack

Akira Ransomware Group Targeting the Healthcare and Public Health Sector

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) published a health and public health (HPH) sector warning regarding another ransomware group known as Akira, which is at work starting March 2023. Akira is a ransomware-as-a-service (RaaS) group that gets affiliates to carry out attacks on its behalf and pays them a portion of the earnings they make. The group primarily targets SME businesses, though demands big ransom payments, which are usually from $200,000 to $4 million. The group stated that it had about 60 victims within 5 months of activity, which include companies in the HPH field.

The group uses double extortion strategies, where it identifies valuable data first and exfiltrates them before encrypting files. The group demands a ransom payment in exchange for the files’ decryption keys and to stop the exposure of stolen information. Victims must get in touch with the group through their TOR website to discuss the ransom payment. Victims who give ransom payments are provided a security report that talks about the vulnerabilities the group took advantage of to access their system.

The group employs various techniques for preliminary access which includes compromised credentials and the vulnerabilities exploited in virtual private networks (VPNs), particularly where multi-factor authentication is not yet carried out. The group uses a Windows and Linux ransomware variant and attacks both VMware ESXi and Windows servers. The incident response data indicate that the ransomware group utilizes different tools when it attacks, such as the MASSCAN port scanner, the PCHunter toolkit, Mimikatz for credential harvesting, PsExec, and WinSCP.

The Akira group is believed to have a connection with the disbanded Conti ransomware group because it and Conti ransomware use identical codes, directory exclusions, and cryptocurrency wallets. HC3 has provided Indicators of Compromise (IoCs) in the Akira ransomware sector warning and gives a number of suggested mitigations to enable network defenders to boost toughness to attacks and identify ongoing attacks.

Russian National 6sCharged for Scripps Health Ransomware Attack; 11 TrickBot/Conti Actors Penalized

Several members of the TrickBot and Conti Ransomware groups have just been charged and the United States and the United Kingdom has penalized the 11 members of these cybercriminal group.

A federal grand Jury from the Southern District of California charged Russian citizen, Maksim Galochkin, for his part in a cyberattack launched on Scripps Health last May 2021. Galochkin together with his co-conspirators are claimed to have carried out over 900 cyberattacks around the world utilizing Conti ransomware, which include the cyberattack on Scripps Health. A federal grand jury from the Northern District of Ohio charged Galochkin along with co-conspirators Mikhail Mikhailovich Tsarev, Maksim Rudenskiy, Andrey Yuryevich Zhuykov, Sergey Loguntsov, Dmitry Putilin, Max Mikhaylov, Maksim Khaliullin, and Valentin Karyagin for using TrickBot malware to rob funds and private data from companies and financial establishments in America since 2015. The Middle District of Tennessee federal grand jury returned an allegation charging Galochkin along with co-conspirators Tsarev, Rudenskiy, and Zhuykov with conspiring to utilize Conti ransomware for attacking companies, governments, and nonprofits in America from 2020 up to June 2022 when the Conti operation was discontinued.

Galochkin was additionally one of 11 persons lately punished by the Department of the Treasury’s Office of Foreign Assets Control (OFAC),
the U.S. Department of Justice, and the United Kingdom for being a member of the Russian TrickBot cybercrime group. In 2016, TrickBot was initially discovered as a banking Trojan. It was created from the Dyre Trojan and was employed to assault and rob non-Russian companies. The modular malware developed through the years and new features were included which enabled the TrickBot group to carry out a variety of malicious activities, which include ransomware attacks. The group is thought to have extorted over $180 million from affected individuals all over the world and carried out a lot of attacks on medical centers and other healthcare companies in America. Although the TrickBot group is a cybercriminal group, group members are linked to the Russian intelligence services and have carried out cyberattacks on the U.S. federal government and other U.S. entities consistent with the goals of the Russian intelligence solutions.

The 11 accused persons materially helped with TrickBot operations and consisted of managers, administrators, coders and developers. Galochkin (also known as Bentley, Volhvb, Crypt) allegedly guided a team of testers and had tasks for the creation, administration, and execution of tests. The other 10 accused persons are HR manager Maksim Khaliullin (also known as Kagas); senior administrator Andrey Zhuykov (also known as Dif, Defender); lead coder Maksim Rudenskiy; finance and human resources manager Mikhail Tsarev; infrastructure purchaser Dmitry Putilin (also known as grad, staff); internal utilities group member Mikhail Chernov (aka Bullet); TrickBot creator Sergey Loguntsov; administrative team member Alexander Mozhaev (also known as Green and Rocco); and coders Vadym Valiakhmetov (also known as Weldon, Vasm, Mentos) and Artem Kurov (aka Naned).

18 members of the TrickBot operation are already sanctioned with the most recent 11 causing the 7 members to be charged by the United Kingdom and the United States in February. The inclusion of these persons to OFAC’s sanctions list suggests all property and interests in property of the people in the U.S. or in the control of U.S. individuals should be obstructed and documented to OFAC. All negotiations with these people by U.S. persons are not allowed, such as paying ransoms. Those who participate in transactions with approved persons may allow themselves to be revealed to OFAC certification and any foreign fiscal establishment that knowingly helps a substantial transaction or offers considerable financial services for any of the certified people can be under U.S. reporter or payable-all through account sanctions.

Every one of the accused and sanctioned persons are still at large. That is probably to stay as is as they are thought to dwell in Russia where there’s no extradition treaty with America.