< Back
Episode #
121

How Akira hits thousands of SMBs with $50K-$150K ransoms undetected | Alex Bovicelli

In part two of this conversation, Alex Bovicelli, Senior Director of Threat Intelligence at Tokio Marine HCC, gets into what the industry keeps getting wrong about ransomware targeting. The organizations getting hit most often are not the ones making headlines, and the attack methods used against them require far less sophistication than most practitioners assume.

Drawing from claims data across thousands of insured companies, Alex explains how groups like Akira have deliberately built around high-volume, low-ransom SMB campaigns, why unpatched MSP tooling is one of the most consistently exploited entry points most defenders aren't tracking, and how a low-tier threat actor sitting on an infected employee machine for six months can hand off access to a major ransomware group. He also breaks down how access brokers are assessing victim maturity, insurance policy status, and organizational structure to decide whether ransomware or BEC delivers the better return, which has nothing to do with CVSS scores.


Topics discussed:

  • Why SMBs face structurally different attacks than enterprises, not scaled-down versions
  • Akira's volume-over-value model: ransoms in the $50K-$150K range, thousands of targets, below the threshold that attracts law enforcement attention
  • Unpatched MSP tooling as a lateral movement vehicle the victim never sees coming
  • How a low-tier threat actor's own machine was infected with an info stealer, exposing the 6-7 month timeline between initial access and ransomware deployment
  • How access brokers assess victim maturity, insurance coverage, and org structure to choose between ransomware and BEC for maximum ROI
  • Why criminal exploitability outweighs published vulnerability severity as a patching signal
  • How cyber insurance claims data gives CTI teams visibility into active exploitation before it surfaces publicly

Key Takeaways:

  • Stop treating SMB ransomware exposure as a scaled-down version of enterprise risk. The attack methods, economics, and entry points are structurally different, and your defenses need to reflect that.
  • Track SSL VPN brute forcing campaigns specifically. Groups like Akira have optimized these tools to run unattended and return thousands of valid credentials against organizations with no account lockout policies.
  • Enforce account lockout policies and MFA on every remote access entry point. These aren't advanced controls. They're what separates organizations that get hit from those that don't at the SMB level.
  • Audit your MSP's patch posture as part of your own risk assessment. If your MSP is running unpatched tooling, your organization inherits that exposure whether you know about it or not.
  • Integrate info stealer log analysis into your detection pipeline. A low-tier threat actor's infected machine can expose a 6-7 month old foothold and reveal exactly how a major ransomware group obtained initial access.
  • Understand that access brokers are evaluating your organization's maturity, insurance status, and whether you're centralized or decentralized before deciding whether to hit you with ransomware or BEC. Your structural profile affects how you get targeted.
  • Replace CVSS as your primary patching prioritization signal. What access brokers actually care about is ease of exploitation combined with the number of available targets, and your patching sequence should mirror that logic.
  • Use post-claim incident response data to validate and calibrate your pre-claim detection signals. Insurance claims data provides visibility into what is actively being exploited in the wild before it reaches the news cycle.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website