Remnants of the notorious and now defunct Conti ransomware gang have reassembled as Akira, a fast-growing criminal enterprise behind a bevy of recent cyberattacks.
A review of blockchain data reveals that remnants of the once-powerful Conti ransomware group are tied to Akira. The connection is noteworthy, given Conti’s past. Conti, which collapsed in disarray last year, was a ransomware kingpin in 2021, executing 600 successful campaigns that year and generating total revenue of around $2.7 billion in cryptocurrency.
The Conti threat group fell apart shortly after a Ukrainian security researcher infiltrated its infrastructure and leaked screeds of information, including its ransomware encryptor source code and records of internal chats.
Akira’s ascension
A blockchain leger analysis, by Arctic Wolf Labs, uncovered how Akira’s cryptocurrency transactions link former Conti operatives with the newcomer ransomware gang. Akira is believed responsible for 63 attacks since it was first observed in March 2023, according to researchers.
Arctic Wolf researchers Steven Campbell, Akshay Suthar and Connor Belfiore said that, like other threat groups leveraging the ransomware-as-a-service model, Akira exfiltrated data before encrypting victim devices so it could double-extort its targets.
“The group does not insist on a company paying for both decryption assistance and the deletion of data. Instead, Akira offers victims the opportunity to pick and choose what they would like to pay for,” researchers said.
Akira’s ransom demands ranged from $200,000 to over $4 million and if payment is not agreed, the victim’s name and data are published on the group’s leak site. Akira predominantly targeted small to medium-sized businesses, with 53 of the 63 victims named on its site employing less than 1000 employees.
Typical targets
The researchers described Akira as an “opportunistic” ransomware group. “In nearly every incident response case Arctic Wolf investigated, the threat actors claimed that they needed time to review the exfiltrated data to determine a ransom demand.”
The group generally used compromised credentials – presumably bought via illicit online markets – to gain initial access to victims’ environments. “Notably, the majority of victim organizations did not have multi-factor authentication (MFA) enabled on their VPNs,” the researchers said.
Putting blockchain analysis to work
While it was no surprise Conti veterans had migrated to Akira and other threat groups, because the groups encryptor source code leaked it became difficult for researchers to pinpoint Akira movements by analyzing code overlap between groups, the researchers said. To overcome this, Arctic Wolf Labs scrutinized transactions between cryptocurrency wallets recorded on publicly viewable blockchain ledgers.
“By leveraging known threat actor cryptocurrency wallet addresses, we are able to conduct pattern analysis of the transactions and discover additional wallet addresses,” the researchers said.
“In some instances, we have observed cryptocurrency address reuse between threat groups, indicating the individual controlling the address or wallet has either splintered off from the original group or is working with another group at the same time,” they said.
Arctic Wolf Labs used the same blockchain analysis techniques last year to link extortion group Karakurt to Conti and another ransomware threat actor, Diavol.
Crypto transactions link Conti and Akira
The researchers uncovered “multiple occasions” where known Akira ransomware transactions overlapped between Akira and Conti threat actors.
“In at least three separate transactions, Akira threat actors sent the full amount of their ransom payment to Conti-affiliated addresses; the three transactions totaled over $600K (USD),” they said.
The researchers found all the Conti-affiliated addresses they reviewed conducted transactions with a group of shared intermediary wallets that were used to cash out funds from the ransom payments or transfer funds within the group.
“Notably, two of the Conti-affiliated wallets had transactions with wallets linked to Conti’s leadership team, with one housing addresses used to receive ransom payments for multiple ransomware families.”
The findings indicated that despite the demise of Conti, its former members had “continued to wreak havoc on organizations in 2023 through their activity with other ransomware-as-a-service groups, including Akira,” Arctic Wolf Labs’ report concluded.
“Akira continues to evolve and grow as a ransomware group by changing its tactics to evade detection. Security best practices, such as enabling MFA on VPN appliances, can greatly hinder Akira’s ability to successfully compromise an organization.”