SANS Internet Storm Center Details Akira Ransomware Attack and Phishing Threats

🎬 The May 28, 2026, SANS Internet Storm Center Stormcast episode details an Akira ransomware attack analyzed by Manuel, covering a one-week kill chain. Attackers gained initial access via brute-forced SSLVPN credentials, followed by internal network discovery (e.g., probing Windows shares, "whoami" commands) and lateral movement using RDP, with encryption occurring after seven days. Early detection indicators included failed authentication logs and anomalous activity, with specific log IDs provided for monitoring. The episode also highlights a phishing attack by FishU targeting Google’s passkey synchronization, tricking users into revealing device PINs to compromise passkey storage and gain persistent account access. Additionally, Microsoft documented attackers poisoning chatbot/LLM responses to distribute malware disguised as legitimate software, which sideloaded a malicious DLL to install a ScreenConnect client for remote access. The discussion underscores the risks of phishing, even with phishing-resistant authentication, and the abuse of search ads and AI-driven tools for malware distribution.