Feds warn of new ‘Akira’ hacking group targeting health care

© Health Sector Cybersecurity Coordination Center

Federal cybersecurity experts are warning health care information technology experts about a new threat that has become significant in less than a year.

Akira ransomware was first identified in May 2023 and has claimed at least 81 victims, according to the Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health and Human Services. Akira “has demonstrated aggressive and capable targeting of the U.S. health sector in its short lifespan,” said the HC3 analyst note published this week.

The hackers may have connections to the Conti ransomware gang, which is now defunct; no formal relationship has been confirmed, but the connection could indicate the sophistication of Akira’s operations, and that they are highly capable and a serious threat, according to HC3.

Akira has partnered with other hackers for attacks and sharing fees. The group also uses double extortion, charging to restore encrypted data, then charging a second fee to ensure no leaks of stolen information, according to HC3.

Most of the targets have been in the United States, focused in California, Texas, Illinois, and the Northeast region.

The group relies heavily on credential compromise to gain access to computer networks.

HC3 published these tips from the FBI to bolster online security:

• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.

• Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.

• Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system-defined or system-recognized scheduled tasks for unrecognized “actions.” (For example, review the steps each scheduled task is expected to perform.)

• Review anti-virus logs for indications that they were unexpectedly turned off.

• Implement network segmentation.

• Require administrator credentials to install software.

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud). • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.

• Use multi-factor authentication where possible.

• Regularly change the passwords to network systems and accounts and avoid re-using passwords for different accounts.

• Implement the shortest acceptable timeframe for password changes

• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.

• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.

• Install and regularly update anti-virus and anti-malware software on all hosts.

• Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).

• Consider adding an email banner to emails received from outside your organization.

• Disable hyperlinks in received emails.

Also, the 3-2-1 rule is important to implement across the enterprise. This means:

• Maintain at least three copies of all important files.

• Store these files on two different media types.

• Ensure one copy is offsite and preferably offline.