Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Security researchers have observed the Akira ransomware gang use a unique attack vector to bypass EDR protection.
The Akira ransomware gang is a pretty prolific operation and remarkably fond of old school computing vibes.
Its darknet leak site is laid out in classic black and green and can only be navigated via a simulated command line.
But don’t let that old school charm fool you – Akira is a technically proficient and aggressive ransomware operation. In fact, cyber security firm S-RM recently worked on a case that saw the gang get around endpoint detection and response tools in a truly novel way.
Via a webcam.
Akira accounted for 15 per cent of all the incidents that S-RM responded to in 2024, but one incident stood out for the sheer inventiveness shown by the gang.
“The S-RM team recently responded to an Akira ransomware incident in which the victim organisation had deployed EDR to hosts on their network,” S-RM said in a 5 March blog post.
“The EDR tool identified and quarantined the ransomware binary, which inhibited Akira’s ability to deploy the malicious code across the victim’s environment. Not to be deterred, the threat actor then conducted a network scan and identified an unsecured webcam on the same network. Akira was able to compromise this device and deploy ransomware from it, ultimately circumventing the EDR tool.”
The webcam itself had several critical vulnerabilities the hackers were able to exploit and ran a lightweight Linux operating system capable of executing commands. It also wasn’t protected by any EDR solution, and – as S-RM pointed out – was likely not capable of hosting any in the first place.
Since the device was not monitored, network defenders were unable to detect malicious traffic to the target server, which led to Akira being able to launch its ransomware and encrypt the company’s data.
“There are several options for threat actors to deploy ransomware from IoT devices and deploying via SMB protocol remains one of the easiest,” S-RM said.
“Though this protocol is significantly less efficient, it can still be a potent vector for threat actors. Particularly when used on devices which are incompatible with EDR or EPP systems, preventing adequate continuous monitoring of activity.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
