Stanford schooled in cybersecurity after Akira claims ransomware attack

This marks the third criminal intrusion at the institution in as many years

Stanford University has confirmed it is "investigating a cybersecurity incident" after an attack last week by the Akira ransomware group.

Akira claimed the attack on Stanford on October 27, saying it had stolen 430 GB worth of data from the renowned education institution.

Other than the volume of data allegedly stolen by the group, little is known about the incident. Akira said it has access to "private information, confidential documents etc." but has otherwise remained tight-lipped.

The Register contacted Akira for an update on the negotiations but had not received a response at the time of publication.

Stanford University's statement confirming the news suggested the attack was limited to one system at its Department of Public Safety (SUDPS), the on-campus police department.

"The security and integrity of our information systems are top priorities, and we work continually to safeguard our network," it said. "We are continuing to investigate a cybersecurity incident at the Stanford University Department of Public Safety (SUDPS) to determine the extent of what may have been impacted.

"Based on our investigation to date, there is no indication that the incident affected any other part of the university, nor did it impact police response to emergencies. The impacted SUDPS system has been secured.

"Our privacy and information security teams have been giving this matter their concerted attention, in coordination with outside specialists. The investigation is ongoing and once it is completed, we will act accordingly and be able to share more information with the community."

Ransomware groups have now claimed three attacks on the university in as many years, with Cl0p having posted Stanford for the second time in March this year, following the first attack in 2021 through its compromise of Accellion FTA.

Akira uncovered

The Akira ransomware-as-a-service operation has only been active since March but security experts reckon it has "highly experienced and skilled operators at its helm."

According to Trend Micro and Arctic Wolf, Akira is a novel ransomware strain that may be run by the same people behind the Conti group, which was responsible for a slew of high-profile attacks including one that crippled the Costa Rican government.

Conti itself is thought to have inherited members from the Ryuk ransomware group, both believed to have links to Russia with the latter also laying claim to a long list of high-profile attacks.

Experts who have analyzed Akira's code said it differs completely from the group of the same name that operated in 2017, and bears a strong resemblance to Conti with its string obfuscation and file encryption.

A recent report from BHI Energy, which provides project management and staffing support to US energy organizations, offered insight into how an Akira ransomware attack plays out.

In that case [PDF], Akira used stolen VPN credentials of a third-party contractor to make the initial intrusion into BHI Energy's network and later perform internal reconnaissance using the same method.

Then, during a nine-day window in June 2023, it stole a large amount of data – 690 GB and 767,035 files – before deploying its ransomware payload, encrypting files on a subset of systems.

Intelligence from other experts has shown that Akira's ransomware payload additionally runs a PowerShell script to remove volume shadow copies and appends the ".akira" extension to encrypted files. ®

Send us news

Cops turn LockBit ransomware gang's countdown timers against them

Authorities dismantle cybercrime royalty by making mockery of their leak site

Romanian hospital ransomware crisis attributed to third-party breach

Emergency impacting more than 100 facilities appears to be caused by incident at software provider

Authorities dismantled LockBit before it could unleash revamped variant

New features aimed to stamp out problems of the past

LockBit leaks expose nearly 200 affiliates and bespoke data-stealing malware

Operation Cronos's 'partners' continue to trickle the criminal empire's secrets

ALPHV gang claims it's the attacker that broke into Prudential Financial, LoanDepot

Ransomware group continues to exploit US regulatory requirements to its advantage

Interpol's latest cybercrime intervention dismantles ransomware, banking malware servers

Efforts part of internationally coordinated operations carried out in recent months

Jet engine dealer to major airlines discloses 'unauthorized activity'

Pulls part of system offline as Black Basta docs suggest the worst

LockBit ransomware gang disrupted by global operation

Website has been seized and replaced with law enforcement logos from eleven nations

ALPHV blackmails Canadian pipeline after 'stealing 190GB of vital info'

Gang still going after critical infrastructure because it's, you know, critical

Uncle Sam sweetens the pot with $15M bounty on Hive ransomware gang members

Honor among thieves about to be put to the test

New kids on the ransomware block in 2023: Akira and 8Base lead dozens of newbies

How good are your takedowns when fresh gangs are linked to previous ops, though?

LockBit identity reveal a bigger letdown than Game of Thrones Season 8

NCA still left enough for onlookers to wonder if there's anything more to come