Ransomware Attack on Empereon Constar by Akira Group

Overview of Empereon Constar

Empereon Constar is a prominent business process outsourcing (BPO) company headquartered in Phoenix, Arizona. Formed through the merger of Empereon Marketing and Constar Financial Services, the company specializes in providing comprehensive customer engagement and management solutions across various sectors, including telecommunications, finance, and retail. With a workforce of over 4,000 employees and ten strategic sites, Empereon Constar manages more than five million customer interactions annually. The company is known for its operational excellence, driven by advanced technologies and a commitment to quality service.

Details of the Ransomware Attack

Empereon Constar recently fell victim to a ransomware attack orchestrated by the Akira ransomware group. The cybercriminals reportedly exfiltrated a substantial 800 GB of sensitive data, including SQL databases containing clients' information, employee files, and detailed financial records. This breach poses significant risks to the privacy and security of both the company's clients and employees, highlighting the critical need for robust cybersecurity measures.

About the Akira Ransomware Group

Akira is a rapidly growing ransomware family that first emerged in March 2023. The group targets small to medium-sized businesses across various sectors, including government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications. Akira is believed to be affiliated with the now-defunct Conti ransomware gang, as their code shares similarities. The group uses double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion. Akira's ransom demands typically range from $200,000 to over $4 million.

Penetration and Tactics

Akira's tactics include unauthorized access to VPNs, credential theft, and lateral movement to deploy the ransomware. They have been observed using tools like RClone, FileZilla, and WinSCP for data exfiltration. In some cases, Akira has deployed a previously unreported backdoor. In April 2023, Akira expanded its operations to target Linux-based VMware ESXi virtual machines in addition to Windows systems. As of January 2024, the group has claimed over 250 victims and $42 million in ransomware proceeds.

Vulnerabilities and Impact

Empereon Constar's extensive data handling and customer interactions make it a lucrative target for ransomware groups like Akira. The company's reliance on advanced technologies and real-time analytics, while beneficial for operational excellence, also presents potential vulnerabilities if not adequately secured. The breach underscores the importance of robust cybersecurity measures to protect sensitive data and maintain client trust.

Sources

• Empereon Constar
• Sophos News
• Trend Micro
• Tripwire
• Trellix