Akira Ransomware Targets the LATAM Airline Industry

July 16, 2024, 10:26 a.m.

Description

An in-depth analysis examined a threat actor utilizing Akira ransomware to compromise a Latin American airline. The attacker gained initial network access via SSH, exploiting a vulnerability in Veeam backup software, and subsequently exfiltrated critical data before deploying the ransomware payload the following day. The attack leveraged various legitimate tools and techniques, enabling reconnaissance, persistence, and widespread encryption of victim systems in a double-extortion scheme.

External References

https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry
https://otx.alienvault.com/pulse/66964336d4e619f1923fbe7f
Tags
linux
ransomware
exfiltration
akira
CVE-2023-27532
2024-07-16
ssh
backup

Date

  • Created: July 16, 2024, 9:53 a.m.
  • Published: July 16, 2024, 9:53 a.m.
  • Modified: July 16, 2024, 10:26 a.m.

Indicators

  • 9b42decb7ea825b939fc36ab924e0c80324e0a4eccb4c371eac60a8672af9603
  • 77.247.126.158
Download all indicators here!

Attack Patterns

  • Akira
  • Storm-1567
  • T1136.002
  • T1222.001
  • T1021.002
  • T1021.004
  • T1069
  • T1087.001
  • T1136.001
  • T1021.001
  • T1537
  • T1588.002
  • T1048
  • T1490
  • T1482
  • T1560.001
  • T1018
  • T1531
  • T1204.001
  • T1059.001
  • T1562.001
  • T1489
  • T1486
  • T1016
  • T1105
  • T1083
  • T1570
  • T1047
  • T1219
  • T1098
  • T1112
  • T1190
  • T1133
  • T1078
  • CVE-2023-27532
  • CVE-2023-20269
  • CVE-2020-3259

Additional Informations

  • Transportation