A sophisticated Akira ransomware attack by the Howling Scorpius group crippled a global data storage and infrastructure company after an employee unknowingly triggered a malicious CAPTCHA (ClickFix) on a car dealership website. This led to the silent deployment of SectopRAT, a .NET-based Trojan granting attackers persistent backdoor access. Over 42 days, the group exploited privileged credentials (RDP, SSH, SMB), mapped the network, accessed domain controllers, and exfiltrated massive data volumes via WinRAR and FileZillaPortable. Before deploying Akira ransomware, they wiped critical storage containers, backups, and compute resources, halting operations across three business networks. Virtual machines went offline, business functions froze, and a ransom demand was issued. Despite deploying two enterprise-grade EDR solutions, the company missed actionable alerts due to alert fatigue and visibility gaps, only detecting the breach post-catastrophe. Unit 42 intervened, negotiating a 68% ransom reduction, rebuilding infrastructure, and implementing 24/7 MDR monitoring. The attack exposed systemic failures in threat detection, credential hygiene, and backup resilience, underscoring the lethal efficiency of modern ransomware campaigns.
Source: https://gbhackers.com/akira-ransomware-attack/
TPRM report: https://www.rankiteo.com/company/hammerspace
"id": "ham4393443111925",
"linkid": "hammerspace",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'data storage/infrastructure',
'type': 'global data storage and infrastructure '
'company'}],
'attack_vector': ['malicious CAPTCHA (ClickFix)',
'social engineering',
'SectopRAT malware',
'lateral movement via RDP/SSH/SMB'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'description': 'A sophisticated Akira ransomware attack orchestrated by the '
'Howling Scorpius group targeted a global data storage and '
'infrastructure company. The attack began with an employee '
'clicking a malicious CAPTCHA (ClickFix) on a car dealership '
'website, leading to the silent download of SectopRAT. Over 42 '
'days, attackers moved laterally, exfiltrated data, and '
'deployed ransomware, causing massive operational disruption. '
'Despite deploying two EDR solutions, critical alerts were '
'missed due to visibility gaps and alert fatigue. Unit 42 was '
'engaged for incident response, ransom negotiation, and '
'recovery, reducing the ransom demand by 68% and restoring '
'operations with enhanced monitoring and segmentation.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'downtime': True,
'operational_impact': ['business operations frozen',
'massive disruption'],
'systems_affected': ['virtual machines',
'domain controllers',
'storage containers',
'backups',
'servers across three business networks']},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'malicious CAPTCHA (ClickFix) on a '
'car dealership website',
'high_value_targets': ['domain controllers',
'core network assets',
'storage containers'],
'reconnaissance_period': '42 days'},
'investigation_status': 'Resolved with Unit 42 assistance',
'lessons_learned': ['Advanced security tools alone are insufficient without '
'proper visibility and alerting.',
'Attackers exploit small footholds (e.g., deceptive '
'tactics like ClickFix) for large-scale campaigns.',
'Missed alerts due to alert fatigue, poor configuration, '
'or visibility gaps are a critical risk.',
'Active security monitoring and tuned alerts are '
'essential to detect evolving threats.',
'Comprehensive, actionable visibility (not just logging) '
'is necessary for effective defense.'],
'motivation': ['financial gain (ransom)', 'data exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Deployed Cortex XSIAM for '
'unified visibility and '
'detection.',
'Implemented network '
'segmentation and limited '
'administrative access.',
'Rotated all credentials, '
'including Kerberos TGT '
'accounts.',
'Eliminated outdated '
'systems and applied '
'patches.',
'Hardened cloud backup and '
'monitoring strategies.',
'Engaged Unit 42 MDR for '
'24/7 monitoring.',
'Negotiated ransom '
'reduction (68%) and '
'secured proof of data '
'exfiltration.'],
'root_causes': ['Failure of EDR solutions to '
'produce actionable alerts despite '
'logging attack stages.',
'Visibility gaps and alert fatigue '
'leading to missed warnings.',
'Lack of network segmentation and '
'excessive administrative access.',
'Outdated systems and unpatched '
'vulnerabilities.',
'Successful social engineering via '
'ClickFix CAPTCHA.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': True,
'ransom_paid': True,
'ransomware_strain': 'Akira'},
'recommendations': ['Segment networks and limit administrative access to '
'reduce lateral movement.',
'Rotate all credentials, especially Kerberos TGT '
'accounts, to prevent golden ticket attacks.',
'Eliminate outdated systems and apply patches '
'persistently.',
'Harden monitoring and backup strategies, particularly '
'for cloud resources.',
'Deploy unified visibility tools (e.g., Cortex XSIAM) to '
'correlate logs across cloud, network, endpoints, and '
'SIEM.',
'Engage third-party MDR services for 24/7 monitoring and '
'incident response.',
'Train employees on social engineering tactics like '
'malicious CAPTCHAs (ClickFix).',
'Regularly review and tune security alerts to reduce '
'fatigue and improve actionability.'],
'references': [{'source': '2025 Unit 42 Global Incident Response Report'}],
'response': {'containment_measures': ['network segmentation',
'limiting administrative access',
'credential rotation (including '
'Kerberos TGT)',
'elimination of outdated systems',
'patching'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'network_segmentation': True,
'recovery_measures': ['24/7 monitoring via Unit 42 MDR',
'hardened backup strategies for cloud '
'resources'],
'remediation_measures': ['infrastructure rebuilding',
'deployment of Cortex XSIAM for unified '
'visibility'],
'third_party_assistance': ['Unit 42']},
'threat_actor': 'Howling Scorpius',
'title': 'Akira Ransomware Attack via ClickFix CAPTCHA Exploit by Howling '
'Scorpius',
'type': ['ransomware',
'data breach',
'lateral movement',
'social engineering'],
'vulnerability_exploited': ['lack of actionable alerting',
'visibility gaps',
'privileged credential abuse',
'unpatched systems',
'outdated systems']}