Webcams Hijacked – Malicious Akira Ransomware

For businesses and IT teams, this attack underscores the need to harden security measures beyond endpoint protection, ensuring webcams and other network-connected devices are not exploited as weak links.

The Akira ransomware gang has been spotted using an unsecured webcam to execute encryption attacks, successfully evading Endpoint Detection and Response (EDR), which had blocked their encryptor on Windows. This sophisticated ransomware attack was uncovered by cybersecurity firm S-RM during an incident response investigation.

Akira’s Unorthodox Attack Chain

The attack began when threat actors gained access to the corporate network via an exposed remote access solution, likely exploiting stolen credentials or brute-force attacks. Once inside, they:

Deployed AnyDesk, a legitimate remote access tool, to exfiltrate sensitive data for a double extortion attack.
Used Remote Desktop Protocol (RDP) to move laterally and expand their presence.
Dropped a password-protected ZIP file (win.zip) containing the ransomware payload (win.exe).
The victim’s EDR solution detected and quarantined the payload, blocking encryption on Windows devices.

Leveraging IoT Weaknesses for Encryption

After failing to deploy ransomware via traditional means, Akira scanned the network for alternative devices and found a webcam and fingerprint scanner. The attackers chose the webcam because:

It was vulnerable to remote shell access and unauthorized video feed viewing.
It ran a Linux-based operating system, compatible with Akira’s Linux encryptor.
It lacked an EDR agent, making it an ideal target for remotely encrypting files on network shares.

How Akira Used a Webcam to Encrypt Files

S-RM confirmed that Akira mounted Windows SMB network shares from the webcam’s Linux OS. By launching the Linux encryptor from the webcam, they successfully encrypted network shares over SMB, bypassing EDR protections.

Because the webcam was not monitored, the victim’s security team failed to detect the spike in malicious SMB traffic, allowing Akira to encrypt files across the entire network.

Key Takeaways & Security Best Practices

EDR alone is not enough—organizations must adopt multi-layered security to protect against advanced cyber threats.
IoT devices, including webcams and fingerprint scanners, pose significant risks if left unpatched and unmonitored.
IoT devices should be isolated from production networks to prevent lateral movement in case of compromise.
Firmware updates are critical—patch known vulnerabilities to close potential attack vectors.

This ransomware attack underscores the evolving tactics used by cybercriminals to bypass endpoint security. Businesses must harden defenses, monitor network activity, and secure all connected devices to prevent similar IoT-based ransomware attacks.