B (9:50)

From phishing to ransomware Cyber threats are constant, but with Nordlayer your defense can be too. Nord layer brings together secure access and advanced threat protection in a single seamless platform. It helps your team spot suspicious activity before it becomes a problem. By blocking malicious links and scanning downloads in real time, preventing malware from reaching your network. It's quick to Deploy easy to scale and built on zero trust principles so only the right people get access to the right resources. Get 28% off on a yearly plan at nordlayer.com cyberwire daily with code CYBERWIRE28 that's nordlayer.com CyberWire Daily Code CYBERWIRE28 that's valid through December 10, 2025. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With Ringf Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. Threat Locker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

A (11:55)

Foreigner recently sat down with Cynthia Kaiser, SVP of the Ransomware Research center at Halcyon, as they took on a deep dive on Akira ransomware. Here's their conversation.

C (12:12)

It's really one of the most aggressive ransomware actors that we're tracking, and that's saying something right among all these people who are really the lowest of the low. But I think one of the most important things to know about Akira is it's all about speed with them. So we're seeing ransomware attacks getting faster and faster, but Akira's really at the front edge of getting all of these attacks happening in a really quick way.

B (12:48)

Well, let's dig into that together. What are some of the tactics, techniques and procedures that they use to make that happen?

C (12:55)

So we don't actually see them encrypting the full file. They're encrypting a small percentage of files as they go through in an effort to encrypt as much as they can as quick as they can, which I think, you know, makes sense when you think about it, but also isn't something that we'd ne I necessarily had at the front of my mind as we were starting to look at that, the actor, and see some of the incidents that we're responding to. They, of course, are doing what has become really typical of ransomware actors, which is looking to kind of Blind or tamper with endpoint detection, because they want to try to figure out ways to be able to be stealthy, to not let somebody know they're there. And that helps them enumerate the whole network, have everything in place so that when they're staged, when they're going for patient zero, it's only going to take minutes for them to encrypt over a hundred or more across the systems. And they're starting with those portions of your network that'll give them a lot of access at once, the hypervisors. So as you increase your virtualization in your network, they're going after those components so that they can reach more of your network more quickly.

B (14:19)

Help me understand the infection vectors here. How do they typically get on someone's system?

C (14:26)

We're seeing them use the sonic wall vulnerabilities that have been widely published over, I think, since the summer. You normally can get some type of Compromise credentials for SonicWall and then be able to utilize that for the known vulnerability that's on them to get onto a system. And then once they're on a system, they create admin credentials for themselves so that it's no longer really detectable what they do. So unless you're kind of detecting them at that sonic wall, that early initial access, it becomes harder and harder to find them until they're ready to encrypt.

B (15:12)

Hmm. Are they using living off the land techniques here to keep themselves hidden?

C (15:18)

Absolutely. We see that among a lot of ransomware actors, where they're using the tools that you already have in your system to be able to conduct their activities. So what was interesting here and some of the tactics you see among some of the actors, is they will basically try to trick trusted apps on your system into running a malicious tool. DLL sideloading. We saw them in one incident because we were responding, and we actually were able to block encryption through almost the whole network. And they didn't know what was going on. And so they started trying all these different tricks. And some of it was they were going around, they were like, trying to figure out a different way in a different way to do the encryption. And one of those was I doing that DLL sideloading, tricking trusted apps on systems. They use anydesk. They use several different tools that are on a system, but all of that's really fueled by creating those credentials for themselves. So they just look like a typical user.

B (16:27)

And who do they seem to be targeting here? Are there any particular sectors that have their attention?

C (16:33)

It feels like manufacturing, business services, and Construction take the brunt of the hits. But there's absolutely affects across all industries. Think like retail, it, education, finance. If you look at where they've claimed to have done attacks, so, you know, whether they're, you know, posting data on their leak site, et cetera, it's about 60 attacks just in November alone. That's a crazy amount. And so really, you have to think about everybody is being targeted because they're trying to maximize the vulnerabilities they have now to be able to get onto systems.

B (17:21)

And they're running an affiliate model here. That's part of how they have such breadth, widespread attack capabilities, I suppose.

C (17:33)

Yeah, they're a ransomware as a service, which group, which really means somebody develops the malware, and then there are affiliates who borrow the malware from the developers, go out and conduct the attacks against various targets, and then give a share of the profits back to the developers themselves. I mean, in this way, it really shields the developers from a lot of the risk of actually conducting the attacks, but it allows the larger group itself to just have a lot more reach across, to be able to conduct simultaneous attacks at once. There's some downsides to that model, I think. We've seen exit schemes from certain groups. We've seen various ways in which those groups are more easily infiltrated by law enforcement, which, I mean, negative for them, positive for us. Right. But overall, they do this to try to see if they can make the most money that they can as quickly as they can.

B (18:43)

I feel funny asking this question, but are they an honorable group as far as ransomware groups go? If you pay them, are you going to get your stuff back?

C (18:53)

That's always a hard question. Right? Because a lot of the. In most cases you receive a decryptor, whether it works on all your files is a different story for Akira itself. Overall, I think we. Our experience has seen, yes, for the most part, the decryptor would work, but there's a lot of other groups that you get the decryptor and like, it turns out, like malware developers don't spend a lot. They spend a lot of time breaking things and they don't spend a lot of time figuring out how to fix them. Again, you know, there are a lot of, a lot of careless decryptors out there. But more so this is a group that also steals data. And there are, in. Most ransomware groups will come out and say, oh, if you pay us this ransom, we won't leak your data. Some claim, oh, we won't. We'll Delete your data. I mean, there has not been a group that I've seen who says they were going to delete the data. Where, when I was over at the Bureau or now, so I was at the FBI right before and now I'm at Halcyon. I've not seen any instance where once we were able to look under the hood of what was going on and those ransomware groups and their infrastructure that they actually deleted customer data. Right, Right.

A (20:22)

Yeah.

B (20:22)

Why would they?

C (20:23)

Right. I mean, part of it's like, why would they just spend the time doing it? They don't need to.

B (20:28)

Right, right. So what are your recommendations then? I mean, for folks to best protect themselves here. What, what should they be doing?

C (20:37)

The first thing I advise is going to the updated cybersecurity advisory that was put out by FBI, CISA and a host of other agencies last week where they recommend prioritizing, remediating, known exploited vulnerabilities. So like the sonicwall vulnerability that I was talking about earlier, enabling and enforcing phishing resistant multi factor authentication. So not necessarily just text based, you get a code, but using authenticator apps or some other type of phishing resistant multi factor. And the kind of normal ransomware advice we give, which is maintaining regular backups of data, ensuring backups are stored offline, and regularly testing the restoration process. In addition to what that cybersecurity advisory noted, I'd also note ensuring that you have some type of a defense in depth that ensures if your endpoint detection is turned off or blinded in some way, you still are able to identify the actors or that at least something funny is going on across your network. Having lots of different points of security is just essential nowadays to all of these advancing ransomware actors.

B (21:57)

How do you rate the sophistication of Akira?

C (22:01)

Akira is very sophisticated. It's incredibly difficult to identify them when they're on a system. Even in the after, when you're doing an incident response, it can be hard to determine how information might have been taken from your network, what information was taken from your network, or really what happened between them getting onto the network and then getting to that final encryption event. So it's aggressive, but it's also sophisticated, which is a terrible combination for all of us.

A (22:39)

That was Cynthia Kaiser, SVP of the Ransomware Research center at Halcyon, sharing a deep dive on Akira ransomware. Learn more on Halcyon's threat actor profile of Akira and how they fit into their latest malicious quartile report. There's a link for you in the show Notes. At Thales, they secure what matters most. The most trusted companies and organizations utilize Thales cybersecurity products to protect critical applications, sensitive data and identities anywhere at scale. Through their innovative services and integrated platforms, Thales provides customers a greater visibility of risks, the ability to defend against cyber threats, close compliance gaps, and deliver trusted digital experiences for billions of consumers every day. That's Thales T H A L E S learn more@cpl.talasgroup.com. Give Big Save big with RACC Friday deals at Nordstrom Rack For a limited time, take an extra 40% off red tag clearance for a total Savings up to 75% off. Save on gifts for everyone on your list from brands like Vince Cole, Hahn, Sam Edelman and more. All sales final and restrictions apply. The best stuff goes fast, so bring your gift list and your wish list to your nearest Nordstrom Rack today. And finally today, Campbell Soup Chief Information Security Officer, is in hot water after a lawsuit claimed that he made disparaging remarks about the company's soup as well as racist comments about his Indian co workers. The executive, Martin Valley, has been placed on leave pending an investigation. The lawsuit was filed by a former employee of the company, remote security analyst Robert Garza. Garza recorded Bali's comments during a lunch meeting and claims that he was fired after bringing the recording to a superior. Bally allegedly said that Campbell's makes unhealthy soup for, quote, poor people using 3D printed chicken and bioengineered meats. For its part, Campbell said in a statement, and I quote, the comments on the recording are not only inaccurate, they are patently absurd. Keep in mind the alleged comments are made by an IT person who has nothing to do with how we make our food. End quote. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a quick programming note everybody. We will not be publishing tomorrow through Sunday in observance of the Thanksgiving holiday here in the United States States. We do have some great content planned for you though to check out in our Cyberwire Daily Podcast feed and we will see you back here on Monday. Enjoy your turkey everyone, and Happy Thanksgiving. And that's the Cyberwire Daily brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our producer is Liz Stokes. We are mixed by Elliot Piltzman and Trey Hester with original music by Elliot Piltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Maria Varmazis in for host Dave Bittner. Thank you for listening. Have a wonderful Thanksgiving. Hey, Ryan Reynolds here wishing you a very happy half off holiday because right now Mint Mobile is offering you the gift of 50% off unlimited. To be clear, that's half price, not half the service. Mint is still premium unlimited wireless for a great price. So that means a half day.

C (27:34)

Yeah.

A (27:34)

Give it a try@mintmobile.com Switch upfront payment.

C (27:38)

Of $45 for three month plan equivalent to $15 per month required new customer offer for first three months only. Speed slow hacker 35 gigabytes of networks busy taxes and fees extra. See mint mobile.com.