Feds Warn Health Sector About Akira Again, Amid New Attacks
Fraud Management & Cybercrime , Healthcare , Industry Specific
Recent Victims Include Pennsylvania Emergency Dispatch System
U.S. federal authorities are again warning the healthcare sector about threats from the Akira ransomware group. The latest alert comes on the heels of several recent attacks by the gang, including one last month on Bucks County, Pennsylvania, which shut down an IT system used by emergency responders for more than a week.
See Also: OnDemand Panel | Securing Operational Excellence: Thwarting CISOs 5 Top Security Concerns
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center on Wednesday issued its second alert about Akira in the last five months, warning that while the ransomware gang has only been operating since March 2023, it has become “a significant threat” to the U.S. public and private health sectors (see: Feds Warn Healthcare Sector of Akira Ransomware Threats).
The HHS HC3’s most recent alert follows a similar warning last month by the Finnish government’s National Cyber Security Center about Akira and a rash of attacks in December against organizations across several sectors in multiple countries.</>
The attacks include one in January on Finnish IT services firm Tietoevry that led to widespread outages in Sweden, affecting healthcare, local and national government services, retail outlets and the country’s largest cinema chain (see: Ransomware Hit on Tietoevry Causes IT Outages Across Sweden).
While Akira has been a global threat – claiming about 81 victims so far – the group appears to be focusing its attention on the U.S. and has in particular been hitting organizations in California, Texas, Illinois and states on the East Coast, especially the Northeast, HHS HC3 said. In addition to healthcare, other targeted industries include materials, manufacturing, goods and services, construction, education, finance and legal, HHS HC3 said.
Bucks County officials said the Akira ransomware attack took the county’s Department of Emergency Communications’ computer-aided dispatch, or CAD, systems offline for nine days.
During the outage, dispatchers relied on backup systems to document and dispatch calls, and 911 call-taking and dispatch abilities were not interrupted during the incident, the county said.
Bucks County said it did not negotiate with the attacker or pay a ransom to restore its systems. The county’s IT and Emergency Communications departments restored the CAD system through its backups, and further rebuilding of the system is ongoing, the county said in a statement.
On Wednesday, the Bucks County Board of Commissioners approved resolutions permitting contracts with cyber forensic and legal firms, as well as a Declaration of Disaster Emergency, to support the county’s efforts to expedite further restoration of the affected CAD system, the county said in a statement.
So far, Bucks County’s forensics investigation has not found evidence that any data was copied or extracted from the CAD system, the county said. The incident is still under investigation by county, state and federal authorities.
A Bucks County spokesman declined Information Security Media Group’s request for additional details about the attack.
Related to Conti?
The current Akira threat does not appear to be related to an earlier ransomware variant also called Akira that surfaced briefly in 2017, HHS HC3 said. But the current Akira ransomware-as-a-service group – which focuses on double-extortion attacks – appears to have connections with the now-defunct Conti gang, HHS HC3 said.
Akira uses a similar exploitation approach, targets similar files and directories and uses a similar application for encryption algorithms. The group’s ransom payment addresses and use of comparable functions also point to a Conti link, HHS HC3 said.
“While any formal relationship or connection between the two groups has not been confirmed, such a connection could indicate a degree of sophistication to Akira’s operations and reinforce the idea that they are highly capable and should be considered a serious threat,” HHS HC3 said.
Taking Action
Akira targets includes both Windows and Linux infrastructures, and it gains initial access through tactics such as spear-phishing and exploiting vulnerabilities in virtual private network software.
“They then create an account – ostensibly via the VPN application – in order to establish persistent access to the network. After using appropriate tools to attempt to obscure their activities from detection, they immediately begin conducting network reconnaissance to understand their operational environment,” HHS HC3 said.
The attackers use tools to acquire existing credentials, move around the infrastructure and establish communications and command and control back to their infrastructure. Then, “they finally steal data and deploy ransomware,” HHS HC3 said.
The federal alert urges health sector organizations to take a variety of measures to help defend against Akira attacks. That includes ensuring identity and access management capabilities are in place, especially multifactor authentication for VPNs.
“Akira has a history of compromising VPNs that are not protected with MFA. Akira is heavily focused on exploiting legitimate remote access tools, which include AnyDesk and tools that leverage the Remote Desktop Protocol,” HHS HC3 said.
“Patch management for these tools – as well as other applications, especially those that are internet-facing – is critical.”
HHS HC3 also said that entities should take measures to ensure credentials are properly protected and appropriate password maintenance and update policies are in place and enforced. “Akira has a history of compromising credentials stored in Active Directory and dumping Local Security Authority Subsystem Service process memory,” the agency said.
Also, adding user accounts to security-enabled local groups will help prevent Akira from compromising accounts to establish persistent access, HHS HC3 said.
“Monitoring for account compromise and unusual activity, and ensuring old, unused accounts are automatically deleted after a period of time can help reduce the attack surface.”