Akira ransomware group bypasses EDR via a webcam

Posted date 27/03/2025

The cybersecurity company S-RM has unveiled a new exploit tactic used by the Akira hacker group. In it, a ransomware was implemented using a webcam, and bypassing the EDR protection system. The incident was analyzed by the company S-RM itself, while monitoring the private network of its customer, the victim of this attack.

In a first step, Akira had gained access to the victim's server computer by exploiting the Windows remote desktop service. Once access was gained, a ZIP file containing the ransomware binary was downloaded. At this point, the EDR deployed on the server detects the file download and quarantines the binary identified as ransomware.

Having cancelled this first attempt, the attacker scans the internal network and finds a webcam that has a vulnerable and unprotected Linux system. In this way, he gains access to the camera and deploys the ransomware. As this device was not being monitored, the victim organization's security team did not notice the increase in malicious traffic from the webcam, which allowed the encryption of files on the server bypassing EDR protection.

This incident highlights the risks arising from the lack of monitoring and maintenance of IoT devices, and the need to isolate and segment networks to make it more difficult for attackers to gain access to sensitive equipment in the organization.