Excerpt from Medium Article – Published on Oct 24, 2023
Ransomware attacks have been escalating worldwide, with a recent incident involving a prominent US energy firm shedding light on the growing threat. The attack in question was carried out by Akira Ransomware, an increasingly common strain of malware known for encrypting files and demanding cryptocurrency ransoms. This event underscores the urgency of understanding the mechanics of such attacks and implementing robust preventive measures.
Akira Ransomware is malicious software that encrypts files, rendering them inaccessible. Perpetrators then demand a ransom in cryptocurrency for a decryption key. Attack vectors include phishing emails with malicious attachments or links, exploiting software vulnerabilities, and brute-force attacks on weak passwords. The encryption is often formidable, leaving victims with a stark choice: pay the ransom or restore systems from backups.
The US energy firm BHI Energy fell victim to Akira ransomware on May 30, 2023. Attackers exploited stolen VPN credentials from a third-party contractor to infiltrate the firm’s internal network. Following this, they conducted a meticulous reconnaissance mission within the network, ultimately exfiltrating a substantial 690 GB of data, which included the Windows Active Directory database. On June 29, the attackers deployed Akira Ransomware across BHI Energy’s network, encrypting files and halting operations.
The attack not only held files hostage but also exposed sensitive data, including employee personal information. While the ransom amount wasn’t disclosed, Akira Ransomware typically demands sums ranging from $200,000 to over $4 million. As of the latest update, the stolen data had not appeared on the dark web.
BHI Energy promptly reacted by involving law enforcement and cybersecurity experts, successfully eradicating the threat actor from their network by July 7. The firm was fortunate to have untouched cloud backups, enabling the restoration of their systems without succumbing to ransom demands. To fortify their security, they implemented multi-factor authentication for VPN access, conducted a global password reset, expanded the deployment of Endpoint Detection and Response (EDR), and decommissioned legacy systems.
This incident underscores the significance of proactive cybersecurity measures. Cybersecurity audits, identity and access management (IAM), and password best practices are vital components of a resilient cybersecurity posture. By adopting these practices, organizations can strengthen their defenses and ensure a swift recovery in the event of a breach.
To delve deeper into this topic, please read the full article on Medium.