• Home
  • cyber
  • Veeam, SonicWall and Cisco: Researchers Observe Sub-One-Hour Ransomware Attacks
cyber Ransomware

Veeam, SonicWall and Cisco: Researchers Observe Sub-One-Hour Ransomware Attacks

Mar 1, 2023 2 min read
Veeam, SonicWall and Cisco: Researchers Observe Sub-One-Hour Ransomware Attacks

Akira Ransomware Group Accelerates Attacks, Completing Full Compromise in Under an Hour

Security researchers at Halcyon have identified a significant escalation in ransomware attack speed, with the Akira group now executing full attack lifecycles from initial access to data encryption in as little as one hour. The group, suspected to include former Conti hackers, has emerged as one of the most sophisticated ransomware operations since its debut in March 2023.

Akira primarily gains entry by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, particularly those without multi-factor authentication (MFA). Targeted vendors have included SonicWall, Veeam, and Cisco, though the group also employs credential theft, spearphishing, password spraying, and initial access brokers (IABs) to breach networks.

Once inside, Akira follows a double-extortion model, exfiltrating data before encrypting files. To evade detection, the group disables security software and leverages living-off-the-land tools like FileZilla, WinRAR, WinSCP, and RClone for data staging and encryption. Notably, Akira uses intermittent encryption scrambling as little as 1% of a file to maximize impact while minimizing detection time.

Halcyon’s report highlights Akira’s disciplined operational tempo, with attacks typically completed in under four hours and some in less than 60 minutes. The group’s stealthy approach, reliance on zero-day exploits, and use of compromised credentials allow it to maintain covert access while rapidly encrypting systems. Since its emergence, Akira has reportedly generated $244 million in ransom payments, according to U.S. government estimates.

Source: https://www.infosecurity-magazine.com/news/researchers-subonehour-ransomware/

Veeam Software cybersecurity rating report: https://www.rankiteo.com/company/veeam-software

SonicWall cybersecurity rating report: https://www.rankiteo.com/company/sonicwall

Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco

"id": "VEESONCIS1775140482",
"linkid": "veeam-software, sonicwall, cisco",
"type": "Ransomware",
"date": "3/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': ['Exploiting vulnerabilities in VPN appliances',
                   'Exploiting vulnerabilities in backup solutions',
                   'Credential theft',
                   'Spearphishing',
                   'Password spraying',
                   'Initial access brokers (IABs)'],
 'data_breach': {'data_encryption': True, 'data_exfiltration': True},
 'description': 'Security researchers at Halcyon have identified a significant '
                'escalation in ransomware attack speed, with the Akira group '
                'now executing full attack lifecycles from initial access to '
                'data encryption in as little as one hour. The group, '
                'suspected to include former Conti hackers, has emerged as one '
                'of the most sophisticated ransomware operations since its '
                'debut in March 2023. Akira primarily gains entry by '
                'exploiting vulnerabilities in internet-facing VPN appliances '
                'and backup solutions, particularly those without multi-factor '
                'authentication (MFA). Once inside, Akira follows a '
                'double-extortion model, exfiltrating data before encrypting '
                'files. The group disables security software and leverages '
                'living-off-the-land tools for data staging and encryption, '
                'using intermittent encryption to maximize impact while '
                'minimizing detection time.',
 'impact': {'data_compromised': True,
            'financial_loss': '$244 million in ransom payments (estimated)'},
 'initial_access_broker': {'entry_point': ['VPN appliances',
                                           'Backup solutions']},
 'motivation': 'Financial gain (ransom payments)',
 'post_incident_analysis': {'root_causes': ['Exploitation of unpatched '
                                            'vulnerabilities',
                                            'Lack of MFA',
                                            'Use of living-off-the-land '
                                            'tools']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransom_paid': '$244 million (estimated total)',
                'ransomware_strain': 'Akira'},
 'references': [{'source': 'Halcyon Report'},
                {'source': 'U.S. Government Estimates'}],
 'threat_actor': 'Akira Ransomware Group (suspected former Conti hackers)',
 'title': 'Akira Ransomware Group Accelerates Attacks, Completing Full '
          'Compromise in Under an Hour',
 'type': 'Ransomware',
 'vulnerability_exploited': ['Lack of multi-factor authentication (MFA)',
                             'Vulnerabilities in SonicWall, Veeam, and Cisco '
                             'products']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.