Visitors to Akira’s dark web leak site are greeted with a message:
Well, you are here. It means that you’re suffering from cyber incident right now. Think of our actions as an unscheduled forced audit of your network for vulnerabilities. Keep in mind that there is a fair price to make it all go away.
Do not rush to assess what is happening – we did it to you. The best thing you can do is to follow our instructions to get back to your daily routine, by cooperating with us you will minimize the damage that might be done.
Those who choose different path will be shamed here publicly. The functionality of this blog is extremely simple – enter the desired command in the input line and enjoy the juiciest information that corporations around the world wanted to stay confidential.
Remember. You are unable to recover without our help. Your data is already gone and cannot be traced to the place of final storage nor deleted by anyone besides us.
On August 1, Parathon by JDA eHealth Systems was added to Akira’s site with a note from Akira: “We’re almost ready to share the 560GB of data we’ve taken from their network. Contracts, employee personal information, and confidential documents will be posted shortly.”
Akira did not reply to an inquiry sent to them by DataBreaches. Neither did Parathon, who was sent contact form inquiries on August 1 and again yesterday. So there is no proof from Akira and no denial or confirmation from Parathon.
Parathon is a revenue cycle management (RCM) business associate used by covered entities in the healthcare sector for billing patients and insurers and handling claims. Their software is available in a desktop model or web-tool model. It is not yet clear what Akira may have acquired in the way of personally identifiable information and/or protected health information of employees or patients.
If Parathon is a business associate to HIPAA-covered entities, their obligation is to notify any affected covered entities, who, in turn, have a duty to notify HHS of any reportable breach and to notify any affected patients. Depending on their contracts, Parathon might contact patients and/or HHS on behalf of one or more of the covered entities, but then again, maybe the covered entities will opt to do their own disclosures if there are any disclosures required.
A recent article by Arctic Wolf provides some helpful background on Akira. The firm’s incident response team notes, “In nearly all intrusions, the threat actors leveraged compromised credentials to obtain initial access to the victim’s environment. Notably, the majority of victim organizations did not have multi-factor authentication (MFA) enabled on their VPNs. It is unclear how the threat actors obtained the compromised credentials; however, it is plausible the threat actors purchased access or credentials on the dark web.”
Also of note, although Akira follows the Ransomware-as-a-Service (RaaS) model, they do not insist their victims pay for both a decryption key and the deletion of data they exfiltrated. According to Arctic Wolf, “Instead, Akira offers victims the opportunity to pick and choose what they would like to pay for. However, if a victim does not pay the ransom (ranging from $200K USD to over $4M USD based on Arctic Wolf® Incident Response’s insights) the victim’s name and data are published to Akira’s leak site.”
DataBreaches will continue to monitor the listing on the leak site and will update this post if more information becomes available. Inquiries were also sent yesterday to NorthShore University HealthSystem and HonorHealth, two entities whose praise Parathon cites on its website, to ask them if Parathon had recently alerted them to any breaches. No replies have been received.