During the spring of 2023, Avertium's Cyber Threat Intelligence team published a Threat Intelligence Report, shedding light on lesser-known ransomware groups that had largely eluded media attention. Among these was Akira, a relatively new group in the ransomware space.
The group predominantly set its sights on small and medium-sized businesses, issuing ransom demands ranging from $50,000 to $500,000. Using an array of strategies, including phishing emails and exploiting unpatched software vulnerabilities, they gained access to their victims' systems.
Fast forward to the spring of 2024, Akira has gained significant attention, earning around $42 million in ransom payments. They breached over 250 entities across three continents between March 2023, when they emerged, and January 2024. With evolved tactics and an expanded scope, let’s look at Akira's recent activities, as well as recommendations on how organizations can defend themselves against this threat actor.
Image 1: Akira's Leak Site
In 2023, the Akira ransomware group, then a relatively new player in the ransomware market, claimed responsibility for three attacks during March 2023. The victims included 4LEAF, an American engineering consultancy business; Park-Rite, a U.S.-based packaging materials manufacturer; and Family Day Care Services, a Canadian childcare service.
Akira listed the names of the three victims on their leak site, threatening to release company records if they refused to pay a ransom. BridgeValley Community and Technical College also became Akira's victim and were added to the group’s shame site on May 1, 2023. The college acknowledged the ransomware attack, which caused a network outage on April 4th.
The very first victim listed on Akira’s leak site was a UK-based architecture firm, from which Akira claimed to have stolen more than 11 GB of data. The second victim was a U.S.-based IT services company, facing a ransom demand of $100,000, while the third victim was a European pharmaceutical company, with a ransom demand of $50,000. Akira seemed to be targeting small and medium-sized businesses, with ransom demands ranging from $50,000 to $500,000. Some of the stolen data had already been sold on the dark web.
Akira utilized various tactics to gain access to their victims' systems, including phishing emails and exploiting unpatched vulnerabilities in software. They also used remote desktop protocol (RDP) brute force attacks to infiltrate networks.
In the spring of 2024, the United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) issued a joint advisory concerning Akira.
Since March 2023, Akira has had a significant impact on various businesses and critical infrastructure entities across North America, Europe, and Australia. Notably, in April 2023, after initially focusing on Windows systems, Akira threat actors introduced a Linux variant targeting VMware ESXi virtual machines. The group has attacked organizations within the financial, manufacturing, real estate, healthcare, and educational sectors.
Image 2: Victim County Distribution
Source: Trellix
Linux versions of Akira ransomware have been detected since June 2023. The ransomware is typically introduced through the exploitation of vulnerable services and applications that are accessible to the public. Additionally, the group has a history of exploiting weaknesses in multi-factor authentication systems or taking advantage of their absence.
Earlier versions of Akira ransomware, coded in C++, encrypted files with a .akira extension. However, starting from August 2023, certain Akira attacks began deploying Megazord, a Rust-based code encrypting files with a .powerranges extension. Akira threat actors have consistently utilized both Megazord and Akira, including Akira_v2, interchangeably.
Once gaining initial access, Akira threat actors try to establish persistence by exploiting domain controllers, often creating new domain accounts for this purpose. Notably, the FBI has observed instances where Akira generates an administrative account named "itadm". Additionally, they utilize post-exploitation techniques like Kerberoasting to extract credentials from the memory of the Local Security Authority Subsystem Service (LSASS).
Credential scraping tools such as Mimikatz and LaZagne aid in privilege escalation. For reconnaissance, Akira actors frequently use tools like SoftPerfect and Advanced IP Scanner for network device discovery and Windows commands to identify domain controllers and gather information on domain trust relationships.
Akira uses two ransomware variants simultaneously during attacks, differing from their usual methods. Initially, they deploy the Windows-specific "Megazord" ransomware alongside a second payload known as Akira_v2 ESXi encryptor. Additionally, Akira disables security software to facilitate lateral movement, using tools like PowerTool to exploit vulnerabilities and terminate antivirus processes.
For exfiltration and impact, Akira actors use various tools like FileZilla, WinRAR, WinSCP, and RClone for data exfiltration, while establishing command and control channels through AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel. They use FTP, SFTP, and cloud storage services for exfiltration and adopt a double-extortion model, encrypting systems post-data exfiltration. The ransomware group provides unique codes and instructions via a .onion URL, threatening to publish data on the Tor network and even contacting victimized companies.
In terms of encryption, Akira uses a hybrid encryption scheme combining ChaCha20 and RSA public-key cryptosystem. Encrypted files have .akira or .powerranges extensions, and the encryptor deletes volume shadow copies using PowerShell commands. The upgraded Akira_v2 encryptor, written in Rust, offers additional functionalities like CPU core control and Build ID protection. It may append "akiranew" as a file extension or add "akiranew.txt" as a ransom note after encryption.
Akira has clearly shifted their focus from solely targeting Windows systems. This year, they have expanded their scope to target Linux systems and virtual machines with a custom payload, marking a significant departure from their previous activities.
To safeguard against Akira ransomware attacks, administrators must take proactive measures to fortify their systems and networks. Below are recommended actions:
The insights shared here expose the dynamic strategies and methods used by the Akira ransomware group. Their pivot towards targeting Linux systems, coupled with their ongoing utilization of Windows-specific tactics, highlights their adaptive nature in exploiting vulnerabilities across diverse operating environments.
Collaborative efforts between cybersecurity agencies and independent researchers have provided valuable awareness of Akira's operational patterns, emphasizing the need for proactive defense measures and robust cybersecurity protocols across organizations. As Akira continues to evolve its tactics and extend its impact, it becomes increasingly important for organizations to remain vigilant and fortified against emerging threats like Akira.
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Look at some of the services Avertium offers that keep organizations like yours safe from threat actors like Akira:
MD5
SHA1
SHA256
For detailed indicators, please see the following links:
Akira Virus Ransomware [.akira Files] Remove + Restore (sensorstechforum.com)
Akira Ransomware Removal Report (enigmasoftware.com)
#StopRansomware: Akira Ransomware (cisa.gov)
Akira ransomware now targets Linux (dxc.com)
Akira ransomware targets VMware ESXi servers (quorumcyber.com)
From Conti to Akira | Decoding the Latest Linux & ESXi Ransomware Families (sentinelone.com)
Akira, again: The ransomware that keeps on taking – Sophos News
Ransomware - Akira and Rapture (avertium.com)
Cracking Akira Ransomware: Prevention and Analysis by TTPs (morphisec.com)
Ransomware Roundup - Akira | FortiGuard Labs (fortinet.com)
Akira Ransomware (trellix.com)
#StopRansomware: Akira Ransomware - AlienVault - Open Threat Exchange
Akira takes in $42 million in ransom payments, now targets Linux servers | SC Media (scmagazine.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.