Scroll Top

AKIRA

Akira ransomware operations began in March 2023, gaining attention for their ‘retro aesthetic’ on their Data Leak Site (DLS) and communications. The actors behind Akira employ multi-extortion tactics and host a TOR-based (.onion) website to list victims and stolen data if ransom demands are not met. Victims are directed to contact the attackers via this TOR portal, using a unique identifier from the ransom note to start negotiations. The group is notorious for demanding high ransom payments, often reaching hundreds of millions of dollars.

Initial access
Akira threat actors gain initial access by exploiting public-facing services or applications, often targeting weaknesses in multi-factor authentication (MFA) and known VPN vulnerabilities, particularly those in Cisco products. Other methods include spear phishing and abusing valid credentials.

Persistence and discovery
Once inside a network, Akira actors create new domain accounts to maintain persistence and leverage tools for credential dumping, such as Mimikatz and LaZagne, to escalate privileges. They use tools like Advanced IP Scanner and net commands for network reconnaissance and domain trust discovery.

Defense evasion
Akira actors disable security software using techniques such as Bring Your Own Vulnerable Driver (BYOVD) attacks. They deploy distinct ransomware variants, including a Windows-specific variant called “Megazord” and a Linux variant targeting VMware ESXi virtual machines.

Exfiltration and impact
Akira actors use tools like FileZilla, WinRAR, WinSCP, and RClone to exfiltrate data. They establish command and control channels through tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel. The group uses a double-extortion model, encrypting systems after exfiltrating data and threatening to publish stolen data on the Tor network if ransoms are not paid.

Encryption
Akira employs a hybrid encryption scheme combining ChaCha20 and RSA algorithms for fast and secure data locking. Encrypted files are marked with extensions such as .akira or .powerranges. The ransomware uses PowerShell commands to delete volume shadow copies on Windows systems, making recovery difficult.

Indicators of compromise (IOCS)
Investigations by the FBI, CISA, EC3, and NCSC-NL have identified several IOCs related to Akira ransomware:

  • File Names: w.exe, Win.exe, AnyDesk.exe, Gcapi.dll, Sysmon.exe, Config.yml, Rclone.exe, Winscp.rnd, WinSCP-6.1.2-Setup.exe, Akira_v2, Megazord
  • Hashes: Specific SHA-256 and MD5 hashes for malicious files affiliated with Akira.
  • Commands: Specific commands used by Akira actors for persistence, discovery, and credential access, such as nltest, net group, and PowerShell commands.

Tools Leveraged by Akira Actors

  • AdFind
    Queries Active Directory.
  • Advanced IP Scanner
    Scans network devices.
  • AnyDesk
    Remote access software.
  • LaZagne
    Password recovery tool.
  • PCHunter64
    Acquires system information.
  • Mimikatz
    Dumps authentication credentials.
  • Ngrok
    Creates secure tunnels.
  • RClone
    Syncs files with cloud storage.
  • SoftPerfect
    Network scanner.
  • WinRAR
    Compresses files for exfiltration.
  • WinSCP
    Transfers data over networks.

Recommendations
Organizations should implement the following strategies to mitigate the impact of Akira ransomware:

  1. Apply Patches
    Regularly update software to patch known vulnerabilities, especially in VPNs and other public-facing applications.
  2. Enhance MFA
    Ensure robust multi-factor authentication is in place for all remote access points.
  3. Limit Privileges
    Restrict administrative privileges and use the principle of least privilege for all accounts.
  4. Regular Backups
    Maintain up-to-date backups and store them offline to prevent ransomware encryption.
  5. Network Segmentation
    Segment networks to limit lateral movement and contain potential breaches.
  6. Monitor and Respond
    Utilize advanced monitoring tools like SentinelOne Singularity XDR to detect and stop malicious activities related to Akira ransomware.

Conclusion
Akira ransomware represents a significant threat to organizations across various industries due to its sophisticated tactics and high ransom demands. By understanding its methods and implementing robust security measures, organizations can reduce the risk of infection and mitigate the impact of potential attacks. For detailed IOCs and further guidance, visit stopransomware.gov and refer to the full advisory from the FBI, CISA, EC3, and NCSC-NL.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.