Ransomware Attack on SAGE Publishing by Akira Group

SAGE Publishing, a renowned independent academic publisher, has recently fallen victim to a ransomware attack orchestrated by the Akira ransomware group. The attack has been publicly claimed by Akira on their dark web leak site, where they have threatened to release SAGE's internal high-quality content, including financial data and agreements.

About SAGE Publishing

Founded in 1965 by Sara Miller McCune, SAGE Publishing is headquartered in Thousand Oaks, California. The company operates globally with offices in North America, Europe, and the Asia-Pacific region. SAGE publishes over 1,000 journals and more than 800 books annually, covering a wide array of disciplines such as business, humanities, social sciences, science, technology, and medicine. The company is known for its commitment to academic excellence, innovation, and inclusivity in scholarly communication.

Attack Overview

The Akira ransomware group has claimed responsibility for the attack on SAGE Publishing. The group has announced their intention to upload SAGE's internal data to their blog, making it publicly available within a few days. This data reportedly includes sensitive financial information and agreements, which could have significant implications for SAGE and its stakeholders.

About Akira Ransomware Group

Akira is a relatively new ransomware family that emerged in March 2023. The group has been targeting small to medium-sized businesses across various sectors, including government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications. Akira is believed to be affiliated with the now-defunct Conti ransomware gang, sharing similarities in their code. The group employs double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion.

Penetration and Tactics

Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement within the victim's network to deploy the ransomware. They have been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration. In some cases, Akira has deployed a previously unreported backdoor. The group has also expanded its operations to target Linux-based VMware ESXi virtual machines in addition to Windows systems.

Implications for SAGE Publishing

SAGE Publishing's extensive digital infrastructure and global operations make it a lucrative target for ransomware groups like Akira. The potential release of sensitive financial data and agreements could harm the company's reputation and financial standing. Additionally, the attack underscores the vulnerabilities that even well-established organizations face in the evolving landscape of cyber threats.

• SAGE Publishing Official Website
• Trend Micro: Ransomware Spotlight on Akira
• Sophos News: Akira Ransomware
• Tripwire: Akira Ransomware
• Trellix: Akira Ransomware