An Update on Akira Ransomware

executive summary

During the spring of 2023, Avertium's Cyber Threat Intelligence team published a Threat Intelligence Report, shedding light on lesser-known ransomware groups that had largely eluded media attention. Among these was Akira, a relatively new group in the ransomware space.

The group predominantly set its sights on small and medium-sized businesses, issuing ransom demands ranging from $50,000 to $500,000. Using an array of strategies, including phishing emails and exploiting unpatched software vulnerabilities, they gained access to their victims' systems.

Fast forward to the spring of 2024, Akira has gained significant attention, earning around $42 million in ransom payments. They breached over 250 entities across three continents between March 2023, when they emerged, and January 2024. With evolved tactics and an expanded scope, let’s look at Akira's recent activities, as well as recommendations on how organizations can defend themselves against this threat actor.

akira ransomware 2023

Image 1: Akira's Leak Site

In 2023, the Akira ransomware group, then a relatively new player in the ransomware market, claimed responsibility for three attacks during March 2023. The victims included 4LEAF, an American engineering consultancy business; Park-Rite, a U.S.-based packaging materials manufacturer; and Family Day Care Services, a Canadian childcare service.

Akira listed the names of the three victims on their leak site, threatening to release company records if they refused to pay a ransom. BridgeValley Community and Technical College also became Akira's victim and were added to the group’s shame site on May 1, 2023. The college acknowledged the ransomware attack, which caused a network outage on April 4th.

The very first victim listed on Akira’s leak site was a UK-based architecture firm, from which Akira claimed to have stolen more than 11 GB of data. The second victim was a U.S.-based IT services company, facing a ransom demand of $100,000, while the third victim was a European pharmaceutical company, with a ransom demand of $50,000. Akira seemed to be targeting small and medium-sized businesses, with ransom demands ranging from $50,000 to $500,000. Some of the stolen data had already been sold on the dark web.

Akira utilized various tactics to gain access to their victims' systems, including phishing emails and exploiting unpatched vulnerabilities in software. They also used remote desktop protocol (RDP) brute force attacks to infiltrate networks.

akira ransomware 2024

In the spring of 2024, the United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) issued a joint advisory concerning Akira.

Since March 2023, Akira has had a significant impact on various businesses and critical infrastructure entities across North America, Europe, and Australia. Notably, in April 2023, after initially focusing on Windows systems, Akira threat actors introduced a Linux variant targeting VMware ESXi virtual machines. The group has attacked organizations within the financial, manufacturing, real estate, healthcare, and educational sectors.

Image 2: Victim County Distribution

Source: Trellix

Linux versions of Akira ransomware have been detected since June 2023. The ransomware is typically introduced through the exploitation of vulnerable services and applications that are accessible to the public. Additionally, the group has a history of exploiting weaknesses in multi-factor authentication systems or taking advantage of their absence.

TACTICS AND TECHNIQUES

Earlier versions of Akira ransomware, coded in C++, encrypted files with a .akira extension. However, starting from August 2023, certain Akira attacks began deploying Megazord, a Rust-based code encrypting files with a .powerranges extension. Akira threat actors have consistently utilized both Megazord and Akira, including Akira_v2, interchangeably.

Once gaining initial access, Akira threat actors try to establish persistence by exploiting domain controllers, often creating new domain accounts for this purpose. Notably, the FBI has observed instances where Akira generates an administrative account named "itadm". Additionally, they utilize post-exploitation techniques like Kerberoasting to extract credentials from the memory of the Local Security Authority Subsystem Service (LSASS).

Credential scraping tools such as Mimikatz and LaZagne aid in privilege escalation. For reconnaissance, Akira actors frequently use tools like SoftPerfect and Advanced IP Scanner for network device discovery and Windows commands to identify domain controllers and gather information on domain trust relationships.

Akira uses two ransomware variants simultaneously during attacks, differing from their usual methods. Initially, they deploy the Windows-specific "Megazord" ransomware alongside a second payload known as Akira_v2 ESXi encryptor. Additionally, Akira disables security software to facilitate lateral movement, using tools like PowerTool to exploit vulnerabilities and terminate antivirus processes.

For exfiltration and impact, Akira actors use various tools like FileZilla, WinRAR, WinSCP, and RClone for data exfiltration, while establishing command and control channels through AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel. They use FTP, SFTP, and cloud storage services for exfiltration and adopt a double-extortion model, encrypting systems post-data exfiltration. The ransomware group provides unique codes and instructions via a .onion URL, threatening to publish data on the Tor network and even contacting victimized companies.

In terms of encryption, Akira uses a hybrid encryption scheme combining ChaCha20 and RSA public-key cryptosystem. Encrypted files have .akira or .powerranges extensions, and the encryptor deletes volume shadow copies using PowerShell commands. The upgraded Akira_v2 encryptor, written in Rust, offers additional functionalities like CPU core control and Build ID protection. It may append "akiranew" as a file extension or add "akiranew.txt" as a ransom note after encryption.

Akira has clearly shifted their focus from solely targeting Windows systems. This year, they have expanded their scope to target Linux systems and virtual machines with a custom payload, marking a significant departure from their previous activities.

DEFENSE

To safeguard against Akira ransomware attacks, administrators must take proactive measures to fortify their systems and networks. Below are recommended actions:

• Conduct a comprehensive security audit of virtual environments and implement robust access controls, including restricting administrative privileges and enforcing strong, unique passwords.
  
  
• Regularly update and patch ESXi servers to the latest versions provided by VMware to address known vulnerabilities.
  
  
• Maintain multiple copies of sensitive data and servers in a physically separate, segmented, and secure location to facilitate recovery in case of an attack.
  
  
• Ensure compliance with NIST’s password standards, requiring long passwords and considering the elimination of recurring password changes.
  
  
• Implement multifactor authentication for all services, particularly for critical systems and webmail.
  
  
• Keep all operating systems, software, and firmware up to date with timely patching, prioritizing known exploited vulnerabilities.
  
  
• Segment networks to prevent ransomware spread, controlling traffic flows between subnetworks and restricting lateral movement.
  
  
• Utilize network monitoring tools to identify and investigate abnormal activity and potential ransomware traversal.
  
  
• Filter network traffic to prevent unknown or untrusted origins from accessing remote services on internal systems.
  
  
• Install, update, and enable real-time detection for antivirus software on all hosts.
  
  
• Regularly review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.
  
  
• Audit user accounts with administrative privileges and configure access controls based on the principle of least privilege.
  
  
• Disable unused ports, consider adding email banners for external emails, and disable hyperlinks in received emails.
  
  
• Implement time-based access for admin-level accounts using Just-in-Time (JIT) access methods.
  
  
• Disable command-line and scripting activities and permissions to impede privilege escalation and lateral movement.
  
  
• Maintain offline backups of data encrypted and immutable, covering the entire organization’s data infrastructure to ensure resilience against attacks.

cONCLUSION

The insights shared here expose the dynamic strategies and methods used by the Akira ransomware group. Their pivot towards targeting Linux systems, coupled with their ongoing utilization of Windows-specific tactics, highlights their adaptive nature in exploiting vulnerabilities across diverse operating environments.

Collaborative efforts between cybersecurity agencies and independent researchers have provided valuable awareness of Akira's operational patterns, emphasizing the need for proactive defense measures and robust cybersecurity protocols across organizations. As Akira continues to evolve its tactics and extend its impact, it becomes increasingly important for organizations to remain vigilant and fortified against emerging threats like Akira.

How Avertium is Protecting Our Customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Look at some of the services Avertium offers that keep organizations like yours safe from threat actors like Akira:

• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
  • Risk Assessments
  • Pen Testing and Social Engineering
  • Infrastructure Architecture and Integration
  • Zero Trust Network Architecture
  • Vulnerability Management

• It is also recommended by Avertium and the FBI that your business require multi-factor authentication (MFA) to remotely access networks.
  • Implementing network segmentation and filtering network traffic to stop phishing emails from reaching victims is also helpful.

• Reach out to your Service Delivery Manager or Account Executive if you need assistance applying any of the above recommendations.

INDICATORS OF COMPROMISE 

MD5

• 0f7b6bb3a239cf7a668a8625e6332639
• 37e172be64b12f3207300d11b74656b8
• 74874922171b67bb181c0ce087744fa7
• 74d5d4e9a556a6170f19893e7ffdeffa
• 7a647af3c112ad805296a22b2a276e7c
• a18d79e94229fdf02ef091cf974ed546
• e2eadf60d8f25cae9b29decab461177b
• e9fda12cfcceffd2e6a19c39dcb01b1e

SHA1

• 1895d7c4f785f92e48b5191fd812822593cbc73f
• 2ea20c54564d2550d08c6f9ff5d0560c627f3718
• 5263a135f09185aa44f6b73d2f8160f56779706d
• 73ee462cb96f4857f9f5bbdc4cada5800f2b8932
• 9cdf137e3f2493c9e141d5ec05f890e32b9b4e87
• ae007dba80a0fc03e44a22db3f4e53ed854b4b38
• cecc54143cc375af1b9aed0021643b179574e592
• f8425e27fb5340b4d50bdee1800dcc428a7d388f

SHA256

• 0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d
• 131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07
• 18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88
• 1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386
• 20739e8fc050187af013e2499718895e4c980699ccaf046b2f96b12497e61959
• 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75
• 5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32
• 7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4
• 7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be
• 8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694
• 892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0
• 9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065
• aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d
• aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9
• bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138
• d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca
• dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e
• ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc

For detailed indicators, please see the following links:

1. Akira Indicators
2. Akira Indicators

MITRE MAP

Supporting Documentation

Akira Virus Ransomware [.akira Files] Remove + Restore (sensorstechforum.com)

Akira Ransomware Removal Report (enigmasoftware.com)

#StopRansomware: Akira Ransomware (cisa.gov)

Akira ransomware now targets Linux (dxc.com)

Joint Advisory: Akira Ransomware Gang Earned $42 Million in 2023 After Breaching 250 Victims - CPO Magazine

Akira ransomware targets VMware ESXi servers (quorumcyber.com)

From Conti to Akira | Decoding the Latest Linux & ESXi Ransomware Families (sentinelone.com)

Akira, again: The ransomware that keeps on taking – Sophos News

Ransomware - Akira and Rapture (avertium.com)

Cracking Akira Ransomware: Prevention and Analysis by TTPs (morphisec.com)

Ransomware Roundup - Akira | FortiGuard Labs (fortinet.com)

Akira Ransomware (trellix.com)

#StopRansomware: Akira Ransomware - AlienVault - Open Threat Exchange

Akira takes in $42 million in ransom payments, now targets Linux servers | SC Media (scmagazine.com)

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.