The Akira ransomware, initially detected in Finland in June 2023, has become increasingly active towards the end of the year. The Finnish National Cybersecurity Center (NCSC-FI) reported 12 instances of Akira ransomware affecting Finnish organisations in 2023, with three attacks occurring during Christmas vacations.

The attackers employed specific tactics, targeting organisations with vulnerable internet-facing Cisco ASA or FTD devices. They gained access by exploiting a vulnerability (CVE-2023-20269) in Cisco firewalls, often due to leaked credentials or brute force attacks. Notably, the compromised accounts lacked multi-factor authentication. Once inside, the attackers meticulously identified and wiped out the target organisations backups before deploying the ransomware. The report highlights that NAS servers and automatic tape backup devices, commonly used for backups, were hacked and wiped.

The Finnish NCSC emphasises the importance of implementing multi-factor authentication (MFA) to enhance login credential security and recommends upgrading Cisco devices to fixed versions. Additionally, the NCSC-FI suggests creating offline backups stored at different physical locations. The information security expert Olli Hönö advises following the 3-2-1 rule for essential backups, meaning keeping at least three backups in two different places, with one copy stored completely offline from the network.

Source and further reading.

Toulas, B. (2024, January 11). Finland warns of Akira ransomware wiping NAS and tape backup devices. BleepingComputer. https://www.bleepingcomputer.com/news/security/finland-warns-of-akira-ransomware-wiping-nas-and-tape-backup-devices/

Labus, H. (2024, January 12). Akira ransomware attackers are wiping NAS and tape backups - Help Net Security. Help Net Security. https://www.helpnetsecurity.com/2024/01/12/finland-akira-ransomware/