Stanford schooled in cybersecurity after Akira claims ransomware attack

Stanford University has confirmed it is "investigating a cybersecurity incident" after an attack last week by the Akira ransomware group.

Akira claimed the attack on Stanford on October 27, saying it had stolen 430 GB worth of data from the renowned education institution.

Other than the volume of data allegedly stolen by the group, little is known about the incident. Akira said it has access to "private information, confidential documents etc." but has otherwise remained tight-lipped.

The Register contacted Akira for an update on the negotiations but had not received a response at the time of publication.

Stanford University's statement confirming the news suggested the attack was limited to one system at its Department of Public Safety (SUDPS), the on-campus police department.

"The security and integrity of our information systems are top priorities, and we work continually to safeguard our network," it said. "We are continuing to investigate a cybersecurity incident at the Stanford University Department of Public Safety (SUDPS) to determine the extent of what may have been impacted.

"Based on our investigation to date, there is no indication that the incident affected any other part of the university, nor did it impact police response to emergencies. The impacted SUDPS system has been secured.

"Our privacy and information security teams have been giving this matter their concerted attention, in coordination with outside specialists. The investigation is ongoing and once it is completed, we will act accordingly and be able to share more information with the community."

Ransomware groups have now claimed three attacks on the university in as many years, with Cl0p having posted Stanford for the second time in March this year, following the first attack in 2021 through its compromise of Accellion FTA.

Akira uncovered

The Akira ransomware-as-a-service operation has only been active since March but security experts reckon it has "highly experienced and skilled operators at its helm."

• DC elections agency warns entire voting roll may have been stolen
• Europol knocks RagnarLocker offline in second major ransomware bust this year
• Casino giant Caesars tells thousands: Yup, ransomware crooks stole your data
• Ransomwared health insurer wasn't using antivirus software

According to Trend Micro and Arctic Wolf, Akira is a novel ransomware strain that may be run by the same people behind the Conti group, which was responsible for a slew of high-profile attacks including one that crippled the Costa Rican government.

Conti itself is thought to have inherited members from the Ryuk ransomware group, both believed to have links to Russia with the latter also laying claim to a long list of high-profile attacks.

Experts who have analyzed Akira's code said it differs completely from the group of the same name that operated in 2017, and bears a strong resemblance to Conti with its string obfuscation and file encryption.

A recent report from BHI Energy, which provides project management and staffing support to US energy organizations, offered insight into how an Akira ransomware attack plays out.

In that case [PDF], Akira used stolen VPN credentials of a third-party contractor to make the initial intrusion into BHI Energy's network and later perform internal reconnaissance using the same method.

Then, during a nine-day window in June 2023, it stole a large amount of data – 690 GB and 767,035 files – before deploying its ransomware payload, encrypting files on a subset of systems.

Intelligence from other experts has shown that Akira's ransomware payload additionally runs a PowerShell script to remove volume shadow copies and appends the ".akira" extension to encrypted files. ®