The Akira ransomware-as-a-service group is once again exploring double extortion attack tactics after engaging in pure extortion attacks from late last year to earlier this year, indicating the continuous evolution of its operations, SC Media reports.
Despite leveraging an updated Rust-based encryptor dubbed "Akira v2" to target VMware ESXi systems since January, Akira has utilized new C++ samples for Windows and Linux systems featuring accelerated encryption via the ChaCha8 algorithm, according to an analysis from Cisco Talos researchers.
The researchers noted that Akira may be seeking to ensure operational stability by reusing established attack techniques.
Further analysis revealed Akira to be leveraging the critical SonicWall SonicOS remote code execution vulnerability, tracked as CVE-2024-40766, and the critical Fortinet FortiClientEMS SQL injection bug, tracked as CVE-2023-48788, as well as the Cisco vulnerabilities, tracked as CVE-2020-3259 and CVE-2023-20263, and the Veeam Backup and Replication issue, tracked as CVE-2024-40711, among others.
"As Akira continuously refines its ransomware, affiliates are equally proactive in selecting and exploiting new vulnerabilities for initial access, adapting their tactics in tandem," said researchers.