Ransomware Attack on Braspress by Akira Group

Braspress, a leading logistics and transportation company in Brazil, has recently fallen victim to a ransomware attack orchestrated by the Akira ransomware group. The breach, detected on July 7, 2024, compromised 280 servers within the company's data center, significantly disrupting operations across its extensive network.

About Braspress

Braspress Transportes Urgentes Ltda., commonly known as Braspress, is a prominent player in the Brazilian logistics sector. The company operates an extensive network for both road and air transportation, facilitating the swift movement of goods across Brazil and internationally. With 106 branches and a modern fleet of nearly three thousand trucks, Braspress is recognized for its efficiency and reliability in handling urgent deliveries, including specialized services for pharmaceutical products.

Braspress stands out in the industry due to its commitment to environmental sustainability, having achieved ISO 14001 certification. The company also invests significantly in technology and security, with advanced systems such as a state-of-the-art Data Center and automated sorting technologies. Despite these measures, the company was not immune to the sophisticated tactics employed by the Akira ransomware group.

Attack Overview

The ransomware attack by Akira was publicly claimed on July 31, 2024. The incident affected nearly 3,000 trucks and 9,000 employees across 114 branches nationwide. In response, Braspress took its operational systems offline and has been working to restore encrypted environments using backups made just minutes before the attack. Despite the extensive damage, Braspress has opted not to negotiate with the attackers. Company president Urubatan Helou has firmly stated his refusal to pay any ransom, acknowledging that the recovery process may take years.

About Akira Ransomware Group

Akira is a rapidly growing ransomware family that first emerged in March 2023. The group targets small to medium-sized businesses across various sectors, including government, manufacturing, technology, and pharmaceuticals. Akira employs double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion. The group is known for its unique dark web leak site with a retro 1980s-style interface and has been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration.

Penetration and Impact

Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement to deploy the ransomware. The group has also been seen deploying a previously unreported backdoor. In April 2023, Akira expanded its operations to target Linux-based VMware ESXi virtual machines in addition to Windows systems. The attack on Braspress highlights the vulnerabilities even well-prepared companies face against sophisticated ransomware groups.

Sources

• Braspress Official Website
• Trend Micro: Ransomware Spotlight - Akira
• Sophos News: Akira Ransomware
• Tripwire: Akira Ransomware
• Trellix: Akira Ransomware