Akira — ransomware operator targeting EU healthcare and SME via edge-device CVE chains and intermittent-encryption EDR evasion

Symantec disclosed Backdoor.Mistic (also tracked as MLTBackdoor), deployed since April 2026 by initial-access broker Woodgnat (a.k.a. KongTuke) that sells footholds to ransomware affiliates including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta (Symantec, 2026-06-24 · SecurityWeek, 2026-06-24). Mistic achieves DLL sideloading via a digitally-signed Microsoft Defender executable (MpExtMs.exe) loading a malicious EndpointDlp.dll (T1574.002, T1036.005), so its activity reads as legitimate Defender behaviour to EDR. Per Symantec it also supports in-memory tradecraft and file manipulation/arbitrary code execution with a kill switch for stealth. Delivery uses ClickFix / FileFix / CrashFix lures (fake CAPTCHAs, browser-crash pages, Teams IT-helpdesk impersonation directing victims to run PowerShell). Why it matters to us: The downstream affiliates are all active public-sector ransomware actors. Detection is precise: legitimate Defender DLPs load from %ProgramFiles%\Windows Defender\ under a Microsoft certificate — any EndpointDlp.dll loaded from a user-writable path or with a non-Microsoft signature is high-confidence (Sysmon EID 7). Pair with EID 1 parent-chains for PowerShell spawned by Teams/Office clients.

Surfaced this week for its CH/EU-specific findings, Check Point's Q1 2026 ransomware report (published 11 May, not covered in the dailies) documents a structural consolidation: the top 10 groups now hold 71.1% of all leak-site victims, the highest concentration since early 2024 and a reversal of two years of fragmentation — meaning defenders face fewer but more professionalised adversaries (Check Point Research; corroborated by Emsisoft). The Gentlemen grew +315% quarter-on-quarter (explaining this week's Mackay Sugar and GentleKiller coverage in § 2) and LockBit 5.0 resurged +106% on a Rust rewrite. The geography is the operative detail for this audience: Switzerland — Check Point notes Akira accounts for roughly 31% of Swiss ransomware victims, and Germany is the #2 country globally for ransomware victims (Emsisoft). The synthesis a Swiss SOC should take: Akira is the dominant ransomware threat to model against domestically, and the consolidation trend favours investing detection effort against a smaller set of high-capability operators (Qilin, Akira, The Gentlemen, LockBit 5.0).

Veeam patched CVE-2026-44963 (CVSS v4 9.4, CWE-502) on 9 June: any authenticated domain user — no elevated Veeam privilege required — can execute code on the Backup Server when it is domain-joined; workgroup servers are unaffected (Veeam, 2026-06-09). It affects all v12 builds up to 12.3.2.4465 (fixed in 12.3.2.4854); v13.x is not affected. Reported by watchTowr's Sina Kheirkhah (The Hacker News, 2026-06-09). No ITW exploitation is confirmed, but backup infrastructure is a perennial pre-encryption ransomware target (Akira, Black Basta, LockBit have historically gone after Veeam first), so treat as urgent (T1210, T1486). Upgrade to 12.3.2.4854; where patching is blocked, Veeam's hardening guidance includes removing the backup server from the domain.

SANS ISC handler Manuel Humberto Santander Pelaez published a forensic walkthrough on 2026-05-27 reconstructing an Akira ransomware intrusion using only two log sources — SSLVPN syslog and Windows EVTX exports — joined by source IP and normalised time (SANS Internet Storm Center, 2026-05-27). [SINGLE-SOURCE] — high-reliability technical primary, but no independent corroboration of the specific kill chain. Initial access (T1078.001 / T1133): non-distributed brute force from a single hosting-provider IP against a single local SSLVPN account that had been deprovisioned in Active Directory but remained provisioned as a local firewall user with no MFA. Discovery: EID 4688 captures nltest.exe /dclist:, net.exe group "Domain Admins" /domain, net.exe group "Enterprise Admins" /domain, whoami.exe /all, and a renamed AdFind.exe variant, all parented explorer.exe → cmd.exe. Credential access (T1558.003 Kerberoasting): a cluster of EID 4769 RC4-encrypted TGS requests for multiple SPNs from a single workstation within a 90-second window. Lateral movement (T1021.001): EID 4624 Logon Type 10 chain from jump host to file server, domain controllers, backup server; EID 4672 special-logon privileges on DC. Defense evasion + impact: EID 1102 security-log clear; sc.exe / net stop of endpoint-protection services (System EID 7036); vssadmin delete shadows /all /quiet.

Why it matters to us: the diary is a forensic-primer for any SOC operating without full EDR coverage — the standard scenario in smaller public-sector entities and DACH commune networks. Concrete takeaways the SANS ISC author makes directly: reconcile local SSLVPN account directories against AD source-of-truth (deprovisioned-in-AD-but-retained-in-firewall is the recurring initial-access pathway in this class); alert on > 50 failed SSLVPN auths from a single source per hour; enable EID 4688 process auditing on every Windows host, set Security log size ≥ 1 GB; alert on RC4 TGS-REP (EID 4769 EncryptionType=0x17) for multiple SPNs from one workstation in a short window; EID 1102 security-log clear is incident-grade in every case; time-sync every host including the firewall to the same NTP source so perimeter-to-endpoint joins remain reliable.

Rapid7 Labs published its Q1 2026 Threat Landscape Report on 2026-05-21 covering January–March 2026 IR data; the GlobeNewswire release accompanied the post the same day. The findings that change what a Swiss/EU public-sector SOC should prioritise:

• Vulnerability exploitation accounted for 38 % of confirmed initial-access vectors, overtaking social engineering (24 %) in Rapid7's Q1 2026 dataset. The implication: edge / perimeter patch SLAs and exposure management now drive blast-radius more than awareness training does.
• More than 50 % of actively exploited vulnerabilities in Q1 2026 were zero-click, network-facing flaws requiring no authentication or user interaction. The defensive prioritisation gradient sharpens: pre-auth network-facing CVEs > authenticated CVEs > anything user-interaction-dependent.
• Median time from public disclosure to CISA KEV listing fell from 8.5 days to 5.0 days. Operators of EU/CH public-sector estates running on monthly patch windows lose ground every cycle; the report frames this as faster AI-assisted N-day weaponisation. PD-13 still applies — the KEV addition is the exploitation-confirmation signal, not a US-only compliance deadline — but the window between "vendor publishes" and "expect attempts" has narrowed materially.
• Exploited vulnerabilities averaged 1.8 million mentions across forums, blogs and social media before operational targeting, making chatter spikes a leading indicator of imminent exploitation waves.
• SQL injection became the most-exploited vulnerability class in Q1 2026, validating the Drupal CVE-2026-9082 story above as part of a broader shift.
• RMM tool abuse accounted for 22.9 % of observed threat activity, ClickFix-style social engineering 18.8 % — both worth re-checking on EDR detection coverage in EU/CH environments where ClickFix browser drive-by is less culturally familiar than in U.S. consumer markets.

The report also covers a geopolitical layer (Iranian, Russian and Chinese campaigns synchronised with Middle East military escalation; tools mentioned include BPFDoor and ModeloRAT) and ransomware fragmentation (Qilin leads at 357 leak-site posts, The Gentlemen 206, Akira 174; pure-extortion without encryption continues to grow). Per PD-9 this is the dedicated treatment of the report; specific findings will be cited as context in future briefs rather than re-summarised.

Threat actors whose TTPs are consistent with Akira ransomware activity successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026; SonicWall and incident-response vendors confirm the root cause is that the firmware update for CVE-2024-12802 (CVSS 9.1, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) does not by itself enforce MFA on both User Principal Name (user@domain) and SAM-account-name (DOMAIN\user) login formats — six additional manual LDAP-reconfiguration steps from SonicWall KB kA1VN0000000RBd0AM are required (Cybersecurity Dive, 2026-05-20; BleepingComputer, 2026-05-20). Attackers brute-forced credentials against the UPN login path — which accepts authentication without triggering MFA challenges when the LDAP reconfiguration is incomplete — at speed and without producing the standard authentication alerts; per BleepingComputer's reporting, intrusion responders observed sessions of 30 to 60 minutes during which attackers logged in, performed network reconnaissance, tested credential reuse on internal systems and logged out. Gen6 SSL-VPN reached end-of-life on 2026-04-16 and receives no further security updates; Gen7 and Gen8 are remediated by firmware update alone. Why it matters to us: the technique is a textbook example of why CVSS / vendor-advised patch status is insufficient operational signal — the appliance shows patched-firmware version, MFA appears enabled in the admin UI, and authentications succeed against an alternative account-name format that bypasses the policy enforcement entirely. Detection concept — SonicWall Gen6 SSL-VPN syslog filter for successful SSL-VPN authentications where the login field is UPN-format rather than SAM-format, especially from source IPs with high authentication-attempt volume; correlate with short-duration recon-and-credential-reuse sessions consistent with the 30-to-60-minute pattern BleepingComputer documents. Hardening — complete every step in SonicWall KB kA1VN0000000RBd0AM; given Gen6 EoL, migrate to Gen7/Gen8 on a defined cut-over timeline.

The Keycloak project shipped 26.6.2 on 2026-05-19, fixing 16 CVEs across identity, authentication and authorisation subsystems; BSI's CERT-Bund issued advisory WID-SEC-2026-1612 on 2026-05-20 classifying the batch as HIGH risk (Keycloak Project, 2026-05-19; BSI CERT-Bund, 2026-05-20). The operationally highest-priority CVEs for public-sector defenders: CVE-2026-7507 — session fixation in the OIDC login flow where a crafted state parameter before user authentication completes enables account takeover (T1078 Valid Accounts, T1556 Modify Authentication Process); CVE-2026-37982 — execute-actions token replay allowing unauthorised WebAuthn / FIDO2 credential enrollment on a victim account after one user interaction (T1098.005 Account Manipulation: Device Registration); CVE-2026-37979 — the OIDC token introspection endpoint /auth/realms/{realm}/protocol/openid-connect/token/introspect does not enforce audience restrictions, leaking claims from lightweight access tokens scoped to one client when presented to any introspection-enabled endpoint; CVE-2026-4630 — cross-resource-server IDOR in the Authorization Services Protection API allowing an authenticated attacker with a token from realm A to read or modify resource permissions in realm B on the same Keycloak instance; CVE-2026-37978 — cross-role PII leakage via the admin /auth/admin/realms/{realm}/clients/{client}/evaluate-scopes endpoint bypassing user-view permissions; CVE-2026-6856 — acceptable-AAGUID policy bypass in WebAuthn packed self-attestation, allowing enrollment of hardware tokens outside the configured policy list. Fix: upgrade to 26.6.2; Red Hat build of Keycloak (RH-SSO / RHBK) 26.2.x is similarly affected via separate RHSA advisories. Defender takeaway: Keycloak is the de-facto standard IAM for EU public-sector and Swiss cantonal / federal identity federation projects, with multiple member-state digital-identity frameworks and national eHealth platforms built on top. Detection concept — admin audit-log entries showing token-introspection responses for mismatched audiences; cross-realm access attempts surfaced as RESOURCE_TYPE: authorization_resource in admin event logs; WebAuthn enrollment events with an AAGUID outside the configured policy list.

CVE Summary Table

Microsoft Threat Intelligence published a detailed exposure of "Fox Tempest" on 2026-05-19, concurrent with the Microsoft Digital Crimes Unit unsealing a U.S. District Court (SDNY) civil action and seizing the signspace[.]cloud infrastructure (The Record, 2026-05-19). The actor operated a malware-signing-as-a-service (MSaaS) since at least May 2025, abusing Microsoft Artifact Signing (formerly Azure Trusted Signing) to mint short-lived (72-hour) code-signing certificates tied to stolen US and Canadian identities (Microsoft Threat Intelligence). Customers uploaded malicious binaries — masquerading as AnyDesk, Teams, PuTTY, Webex — and received Microsoft-signed executables that bypassed AV/EDR signing checks. Microsoft's write-up details the service's commercialisation: short-lived signing certificates sold to ransomware affiliates per signing run, with infrastructure transitioning in February 2026 to VM-based delivery on Cloudzy-hosted hosts that accepted customer binaries and returned signed outputs.

Confirmed downstream customers: Vanilla Tempest (deploying Rhysida ransomware via Microsoft-signed MSTeamsSetup.exe carrying the Oyster/Broomstick backdoor), Storm-0501, Storm-2561, Storm-0249, and ransomware families Rhysida, INC, Qilin, Akira, plus commodity loaders Oyster, Lumma Stealer, and Vidar. Microsoft revoked 1,000+ fraudulent code-signing certificates, disabled hundreds of Cloudzy-hosted VMs that Fox Tempest used as its delivery surface, and rolled identity-validation controls into Artifact Signing. Microsoft's blog notes confirmed affected sectors include healthcare, education, government, and financial services across the US, France, India, and China.

Why it matters to us: European public-sector and healthcare organisations are explicit downstream victims of the affiliates Fox Tempest serviced (Rhysida, Qilin, Akira have all hit EU targets). Hunt for Microsoft-signed PE binaries with certificate validity ≤72 hours issued by "Trusted Signing" intermediaries after 2025-05-01 where the signing CN does not match a known organisational EV entity. Where Teams.exe / AnyDesk.exe / PuTTY / Webex installers spawn cmd.exe / powershell.exe / rundll32 / regsvr32 without the expected Microsoft installer ancestry (Sysmon EID 1 with parent-image filter), treat as Oyster/Broomstick suspect. Restrict Artifact Signing tenant creation; require phishing-resistant MFA + compliant device for Azure subscription management; alert in Defender for Cloud Apps on rapid certificate creation from newly enrolled tenants (Add-AzKeyVaultCertificate).

If you did nothing this week: patching alone did not close this. Actors whose TTPs match Akira ransomware successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026, by abusing a UPN/SAM account-name split in the authentication path — covered 2026-05-21.

This is an incomplete-patch case (CVE-2024-12802, CVSS 9.1): the original fix did not fully remediate the MFA-bypass path, so a "patched" appliance can still be brute-forced through the account-name-split primitive. Swiss/EU public-sector and finance estates that treated the earlier SonicWall advisory as closed should re-open it: audit SSL-VPN authentication logs for UPN-vs-SAM mismatches and repeated MFA challenges, and confirm the appliance is on the firmware build that fully closes CVE-2024-12802 rather than the earlier partial fix.

Microsoft Threat Intelligence and the Digital Crimes Unit disrupted Fox Tempest, a malware-signing-as-a-service operation that supplied code-signing to multiple ransomware operations (daily 2026-05-20). Status: disrupted via combined intelligence exposure and a sealed US legal action. The defender takeaway is that code-signing trust on binaries attributable to Rhysida/INC/Qilin/Akira tooling should not be treated as a benign signal — the signing pipeline was a criminal service.

If you did nothing this week: Swiss and DACH healthcare operators with internet-exposed Cisco ASA / FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces — Akira's documented edge-device initial-access targets — face the same playbook used here. Groupe 3R confirmed the attack on its own website 2026-04-30, filed a criminal complaint, notified the Federal Office for Cybersecurity (BACS/OFCS), and explicitly stated it will not pay ransom; Akira's leak-site listing on approximately 2026-05-08 claims 48 GB exfiltrated including employee identity documents, patient records, payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07 · daily 2026-05-10).

Groupe 3R (Réseau Radiologique Romand) operates ~20 medical-imaging centres across seven Swiss cantons listed in the operator statement (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne — six in Romandie — plus Zürich in German-speaking Switzerland) — a direct Swiss critical-health-infrastructure incident, and the operator's second cyberattack within twelve months (the prior April 2025 incident is acknowledged in the operator's own statement as having involved different attackers and methodology). Legacy examination data remains inaccessible at week-end; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. Akira's documented playbook against European healthcare and SME targets emphasises edge-device initial access (Cisco ASA/FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics — observed ATT&CK techniques include T1190, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service. Defenders should re-validate patch state on the edge devices in Akira's standard target list, confirm EDR rules trigger on intermittent-encryption write-skip-write file-IO patterns, and verify radiology-modality VLAN segmentation from corporate Active Directory — PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. The Akira-as-actor attribution comes from ransomware.live (aggregator), not from the victim or an independent primary; logged with confidence HIGH on incident, MEDIUM on actor.

Two healthcare incidents define the sector picture this week, both with European public-sector concentration. Groupe 3R (Switzerland) — Akira leak-site listing on a Romandie medical-imaging operator running 20 centres across seven cantons; the operator confirmed publicly on 2026-04-30, will not pay ransom, and is operating with legacy examination data still inaccessible at week-end (Groupe 3R victim statement · daily 2026-05-10). ChipSoft (Netherlands) — The 7 April 2026 attack on the Dutch healthcare software vendor — whose HiX platform serves roughly 70% of Dutch hospitals — was first reported with attacker identity unknown (The Record, 2026-04-09); the Embargo ransomware group's claim of responsibility, alongside the 66 Dutch DPA notifications, was reported in the subsequent NL Times follow-up. On 28–29 April ChipSoft stated the exfiltrated data had been destroyed in language Dutch security experts noted strongly implies a ransom was paid (ChipSoft did not confirm) (NL Times, 2026-04-29 · daily 2026-05-07). Both incidents reinforce the same cross-finding pattern: ransomware operators' claims of data destruction are inherently unverifiable; GDPR breach-notification obligations and long-term breach-response posture do not expire when an attacker says they deleted the copy.

M-Trends 2026 (published 2026-03-23, first covered 2026-05-07) reinforces three cross-cutting trends visible in this week's incidents: voice phishing surged to the second most prevalent initial-access vector at 11% (overtaking email phishing at 6%) driven by IT help-desk impersonation and SaaS OAuth token theft — directly evidenced this week in the ADT vishing → Okta SSO → Salesforce pivot and in MuddyWater's Teams external-access helpdesk pretext (§ 7); ransomware initial access via prior compromise doubled to 30% — implicit in the access-broker / ransomware-affiliate model behind Akira, Embargo, and Qilin's targeting of European victims; and edge-device persistence on VPNs, routers, and network appliances without EDR coverage remains the dominant initial-access technique for state-sponsored espionage — directly mirrored in CL-STA-1132's PAN-OS exploitation and in Ivanti EPMM's named EU victims. The reframe IOCTA does not give but M-Trends does: median dwell time globally has increased to 14 days (up from 11 in 2024) and espionage-focused intrusions average 122-day median dwell — i.e. when the Ivanti EPMM and PAN-OS post-compromise hunting horizons land on retrospective log review back to March/April, that horizon is consistent with Mandiant's observed espionage dwell envelope. (Google Cloud / Mandiant M-Trends 2026, 2026-03-23; daily 2026-05-07).

Current state: Akira's leak-site listing on Groupe 3R (§ 1) is the operationally specific Swiss-healthcare development this week. The broader Akira playbook (edge-device initial access via Cisco ASA/FTD, Fortinet SSL-VPN, VMware ESXi authenticated RCE; intermittent file-encryption to evade EDR file-IO heuristics) has been documented across European healthcare and SME targeting throughout 2025 and into 2026. No major Akira TTP shift detected in this week's reporting; the operator continues to favour edge-device initial access and double-extortion (encrypt + leak). Outstanding defender question: whether the Groupe 3R "will not pay" public stance changes the operator's posture for repeat victims (3R's prior April 2025 incident is acknowledged in its own statement as having involved different attackers and methodology).

W1 horizon research added Q1 2026 healthcare quarterly context to the Groupe 3R item in § 1. Across Q1 2026, Akira posted 84 victims in March alone (second-most-active month on record) and claimed 5 healthcare victims; Qilin led healthcare at 23 claims (with RENAFAN GmbH and Suchthilfe direkt Essen gGmbH as Qilin's confirmed German victims), and The Gentlemen at 10 healthcare claims (Comparitech Q1 2026 Healthcare, 2026-04-29 · CyberMaxx Q1 2026). Akira's documented attack chain for healthcare: initial access via unpatched VPN (Cisco ASA, SonicWall, Fortinet) or compromised RDP credentials; lateral movement via T1021.001 Remote Services: Remote Desktop Protocol and T1047 Windows Management Instrumentation; LSASS credential harvesting via comsvcs.dll / Mimikatz; AV termination via PowerTool weaponising the Zemana AntiMalware driver (BYOVD); data exfiltration; double extortion. The cross-finding for Swiss / DACH operators reading after Groupe 3R: at least two ransomware-as-a-service operators (Akira and Qilin) are hitting European healthcare in Q1–Q2 2026 via the edge-device / unpatched-VPN attack surface, and the operator that hits a given hospital is less salient defensively than the shared initial-access funnel they exploit.

Akira listed Groupe 3R on its dark-web leak site on approximately 2026-05-08, claiming an attack dated 2026-04-30 and threatening release of 48 GB including employee identity documents (passports, driving licences, national IDs), patient records (addresses, phone numbers, medical data), payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07). Groupe 3R operates 20 medical-imaging centres across seven Romandie cantons (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne, and a further canton listed in the operator statement) — making this a direct Swiss critical-health-infrastructure incident. The operator confirmed the attack publicly via its own website on 2026-04-30, notified the Federal Office for Cybersecurity (BACS/OFCS), filed a criminal complaint, and explicitly stated it will not pay ransom. Legacy examination data remains inaccessible at the time of the public update; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. The operator's own statement notes this is its second cyberattack within twelve months and characterises the prior April 2025 incident as having involved different attackers and methodology.

Akira's documented playbook against European healthcare and small-to-mid enterprise targets emphasises edge-device initial access (Cisco ASA / FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics; ATT&CK techniques observed across recent Akira incidents include T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service.

Defender takeaway: Swiss and DACH healthcare operators with internet-exposed Cisco ASA/FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces should validate that all 2025–2026 Akira-targeted CVEs are patched, that EDR rules trigger on intermittent-encryption file-IO patterns (write-then-skip-then-write of fixed-block ranges), and that radiology-modality VLANs are network-segmented from corporate AD; PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. Imaging operators that depend on a single ransomware-targeted partner should review business-continuity arrangements: this is the second 3R outage inside a year and referrers will already have continuity questions.

Swiss and DACH healthcare operators (and any organisation operating PACS/RIS or radiology-modality networks) should re-validate patch state on Cisco ASA / FTD, Fortinet SSL-VPN, and VMware ESXi management interfaces, and confirm radiology-modality VLAN segmentation from corporate Active Directory. Confirm EDR rules trigger on intermittent file-encryption file-IO patterns. Review business-continuity contracts for ransomware-targeted single-supplier dependencies (the second 3R outage in twelve months will already have referrer-side continuity questions).