Executive Summary

In March 2023, Avertium published a Threat Intelligence Report featuring 2023’s ransomware group trends. In the report, we detailed the activity of LockBit, BlackCat, Royal, Vice Society, and Medusa. At the time, ransomware activity appeared to be declining with a 12.9% reduction in the yearly rate of publicly reported victims. There was also a significant decline of 41% after December 2022.

Chainalysis revealed that ransom payments related to ransomware attacks are decreasing, with the decline being attributed to the dismantling of major ransomware groups like Conti and HIVE. Despite this trend, ransomware groups are still active, as seen by recent attacks by Clop and LockBit, who exploited a critical vulnerability in PaperCut (CVE-2023-27350 and CVE-2023-27351), as well as Black Basta's breach of Yellow Pages Canada and Medusa's targeting of healthcare organizations. These attacks prove that the security community cannot afford to let their guard down when it comes to ransomware, even during periods of reduced activity.

While it may appear that the same ransomware groups are frequently making headlines, this month has seen activity from two lesser-known ransomware groups that are not currently in the spotlight. Let’s look at the ransomware groups Akira and Rapture, and their recent activity.

 

tir snapshot

  • The Akira ransomware group, a relatively new player in the ransomware market, has claimed responsibility for three recent attacks.
  • Akira appears to be focused on targeting small and medium-sized businesses, with ransom demands ranging from $50,000 to $500,000. Some of the data they have stolen from various businesses has already been sold on the dark web.
  • The group uses a variety of tactics to gain access to their victims' systems, including phishing emails and exploiting unpatched vulnerabilities in software.
  • The current version of Akira ransomware doesn't encrypt a wide range of file types. The ransomware appears to target mostly video files in its attacks.
  • Rapture ransomware was initially observed by Trend Micro in March and April 2023. Interestingly, the ransomware has a minimalistic way of targeting victims - using tools that leave a minimal footprint behind.
  • Researchers observed that during the execution of Rapture, a memory dump shows a configuration file for an RSA key, similar to the one used by Paradise ransomware.
  • The ransomware note dropped by Rapture has some similarities to Zeppelin ransomware. However, researchers are highly confident that the Rapture is not a variant of Zeppelin.
  • Akira may be a new player in the field, but their tactics and ransom demands are similar to other ransomware groups. While Rapture may be difficult to analyze, it is still important to adhere to best practices for dealing with both ransomware groups.

 

 

akira

The Akira ransomware group, a relatively new player in the ransomware market, has claimed responsibility for three recent attacks. The victims include 4LEAF, an American engineering consultancy business; Park-Rite, a U.S.-based packaging materials manufacturer; and Family Day Care Services, a Canadian childcare service. Akira listed the names of the three victims on their leak site threatening to release company records if they refuse to pay a ransom.

 

Image 1: Akira's Leak Site

Akira's Leak Site

 

Akira’s latest victim is BridgeValley Community and Technical College. The college, which is based in West Virginia, was added to the group’s shame site on May 1, 2023. The college acknowledged the ransomware attack, which caused a network outage on April 4th.

The first victim listed on Akira’s leak site is a UK-based architecture firm, with Akira claiming to have stolen more than 11 GB of data from the company. The second victim is a U.S.-based IT services company, with a ransom demand of $100,000. The third victim is a European pharmaceutical company, with a ransom demand of $50,000.

Akira appears to be focused on targeting small and medium-sized businesses, with ransom demands ranging from $50,000 to $500,000. Some of the data they have stolen from various businesses has already been sold on the dark web. Their first attack was reported in March 2023.

The group uses a variety of tactics to gain access to their victims' systems, including phishing emails and exploiting unpatched vulnerabilities in software. They also have a history of using remote desktop protocol (RDP) brute force attacks to gain access to networks.

Researchers discovered the ransomware Trojan on August 28, 2017, and at that time, it appeared to be in its testing phase. The Trojan is currently being distributed by targeting unprotected websites, with a specific focus on WordPress sites. Once infected, Akira drops one or multiple payload files into the directories listed below:

  • %Local%
  • %Temp%
  • %Windows%
  • %SystemDrive%
  • %LocalLow%
  • %AppData%
  • %System%
  • %system32%

After infection, a ransom note is left before the ransomware creates multiple registry values in Windows, such as the Run and RunOnce registries. The presence of .akira files means that your data has likely been encrypted by Akira ransomware, which also means that the ransomware has singled out files with extensions like:

  • Videos (.mp4, .avi, etc.).
  • Audio (.mp3, .wav, etc.).
  • Picture file kinds (.jpg, .png, .etc).
  • Archive file formats (.zip, .rar, etc).
  • Documents of different types (.docx, .pptx, etc.).

Once encryption is complete, the ransomware creates the file types seen in image 2.

 

Image 2: File Types

File TypesSource: Sensor Tech Forum

 

Unlike most ransomware Trojans, the current version of Akira ransomware doesn't encrypt a wide range of file types. As observed above, the ransomware appears to target mostly video files in its attacks. According to the researchers at Enigma Software, this could mean that Akira is either targeting specific platforms that deal with video files or, more likely, the ransomware is still in development. During attacks, Akira uses a combination of AES and RSA encryption to render the victim's files inaccessible. In addition to encrypting victim's files, Akira will also remove the Shadow Volume copies of the files. This is done to prevent users from recovering their files using alternative methods.

 

 

rapture

Rapture ransomware was initially observed by Trend Micro in March and April 2023. Interestingly, the ransomware has a minimalistic way of targeting victims, using tools that leave a minimal footprint behind. This allows Rapture to carry out its ransomware attacks quickly.

Researchers observed that during the execution of Rapture, a memory dump shows a configuration file for an RSA key, similar to the one used by Paradise ransomware. To make analysis more challenging, the attackers used Themida, a commercial packer, to pack the ransomware. Rapture requires a minimum of .NET 4.0 framework to execute correctly, which suggests further similarities with Paradise, known to be compiled as a .NET executable. As a result, the ransomware was named Rapture, a closely related nomenclature to Paradise.

In April 2023, ransomware activity was found that seemed to be injected into legitimate processes. After the activities were traced back to the source process, it was found that the ransomware was actively loaded into memory from a Cobalt Strike beacon. The attackers sometimes dropped the ransomware as a *.log file in a folder or drive:

  • E:\ITS.log
  • C:\[Redacted]\Aps.log

Rapture then drops its notes to every traversed directory, with the first six characters appearing to be random but are actually hard-coded string configurations:

  • 7qzxid-README.txt
  • qiSgqu-README.txt

After appending the same six characters to these encrypted files: *.7qzxid and *.qiSgqu, the ransomware requires specific command lines to execute properly. When the correct argument is provided to the malicious file, it initiates the ransomware process.

 

Image 3: Ransomware File Packed Using Themida

Ransomware Filed Packed Using ThemidaSource: Trend Micro

 

Also, the entire infection process lasts a maximum of three to five days, starting from the discovery of the reconnaissance commands. To ensure a more successful attack, Rapture's operators first inspect firewall policies, check the PowerShell version, and check for vulnerable Log4j applets.

The ransomware note dropped by Rapture, has some similarities to Zeppelin ransomware. However, researchers are highly confident that the Rapture is not a variant of Zeppelin. After examining the note, Trend Micro found that Rapture ransomware has been around for quite some time, but there were no samples available during its initial sighting in November 2022. Finally, the malware initiates a connection with the C2 and obtains commands and additional payloads from there.

 

Image 4: Ransomware Note Left by Rapture

tr4-May-09-2023-02-14-41-3422-PMSource: Trend Micro

 

 

defense

Akira may be a new player in the field, but their tactics and ransom demands are similar to other ransomware groups. Despite the use of stealthy and difficult-to-analyze tactics such as memory-based payload attacks and small-size infection chains by Rapture ransomware, it is still important to adhere to best practices for dealing with both ransomware groups.

Organizations can implement a robust and multifaceted strategy to safeguard possible entry points into their systems, including endpoints, emails, websites, and networks. They can utilize security solutions capable of identifying malicious elements and suspicious activity to protect themselves from ransomware attacks. To increase cyber resilience in ransomware response, consider the following:

  • Evaluate the strategic ransomware preparedness of endpoints by identifying essential controls, such as anti-virus/anti-malware, endpoint protection, and endpoint detection and response solutions, as well as device management tools.
  • Enable ransomware cyber hygiene measures across endpoints by implementing application resilience policies that ensure that critical security applications and device management tools are installed and functioning as intended.
  • Evaluate the security posture of devices by continuously detecting and reporting on the status of anti-malware, detection, and response software installed on endpoint assets.
  • Accelerate the recovery process by collecting accurate insights, executing customized workflows, and automating commands for device recovery. This can be achieved by leveraging a library of custom scripts to facilitate tasks such as identifying infected and encrypted machines, quarantining endpoints by disabling networking or unlocking specific device ports or supporting device re-imaging.
  • Identify sensitive data by scanning devices for financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property. This process enables organizations to locate at-risk devices and ensure that proper backup measures are in place using existing tools.
  • Implement a data protection program that includes policies, classification, encryption/DLP, and proactive monitoring across all sensitive data.

 

 

INDICATORS OF COMPROMISE (IoCS)

Rapture

  • Sha256
    • c417a89cdc86ea6d674d2dc629ae1872b4054ac43e948e8ed60d3f3f47178598
    • a6cd727a18e5e2a80fbd8a51c299a2030bd5e68e4bbf136e07eb9d0b3f3bb8ce
    • 619614cda94a4b6b185c0c122d11ef2b8b0b3e7fc94a1a5c2ff1ac49233df54b
    • 4222681314f5ffd69fe17ab2ae4b9aaa60866571fe2b53afc10f87e3738cedda
    • b44b4e162de1decc9a5d3c61a045eb4776c55fccd33c9eced5b9f622faee19fa
    • 367e13f234a46822aa9655690f18000319123ad07a62e56bcf8bebbfbb0de7b9
    • 99331170be7aa48d572728f68e52ac8d3eb3c8307cb8050ce504ef9f4624a4ba
    • 99331170be7aa48d572728f68e52ac8d3eb3c8307cb8050ce504ef9f4624a4ba
    • d793aaaba1b4b34a20432b86505b851d838def0cd722b8cbdd1d08e19a08b6ee
  • SHA1
    • 76beb70b06cfe714c4fa250b6b2d1e5025fe3c50
    • 30d49ced95cb9a0fb6526b30131501b28cbbc388
    • 24e7848dab0b82b200781630e617d6ed7e6016e7
    • f2e6853050f76517a9a7d472f3a994d0ae8411cf
    • 5e6d77960065df450e0533f9a8409c7463292243
    • 688d67eb4ff993963c86297ab8345962334ead27
    • bdb3fa0c50db18f7ada02b2060b4c5110016e859
    • 843f3ad221a9da48d82df672bd8806cc090430b5
    • 9a14a69eb279513cde2de0be538cc8d275fd34e9
  • IP Addresses
    • 195[.]123[.]234[.]101
    • 172[.]82[.]86[.]148

Akira

At this time, there are no known IoCs associated with Akira ransomware. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.

 

 

MITRE MAP

Akira

Akira MITRE Map

 

Rapture

Rapture MITRE Map

 

 

how avertium is protecting our customers

Because the cyber landscape is always changing, it is imperative to be aware of new cyber attack strategies and techniques. Avertium is here to keep you informed and to keep your organization safe. We recommend the following services for the best protection against ransomware attacks:

  • Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • It is also recommended by Avertium and the FBI that your business require multi-factor authentication (MFA) to remotely access networks.
    • Implementing network segmentation and filtering network traffic to stop phishing emails from reaching victims is also helpful.
  • Reach out to your Service Delivery Manager or Account Executive if you need assistance applying any of the above recommendations.

 

 

Related Resource:

 

 

SUPPORTING DOCUMENTATION

Ransomware gangs display ruthless extortion tactics in April | TechTarget 

Paradise Ransomware’s Source Code Now Available on a Hacker Forum | Cyware Alerts - Hacker News

Rapture, a Ransomware Family With Similarities to Paradise (trendmicro.com)

Akira Virus Ransomware [.akira Files] Remove + Restore (sensorstechforum.com)

Akira Ransomware Lists Three Victims After Sprucing Up Site (thecyberexpress.com)

Akira Ransomware Removal Report (enigmasoftware.com)

New Rapture Ransomware Bears Notable Similarities with Paradise | Cyware Alerts - Hacker News

Ransomware review: April 2023 (malwarebytes.com)

Flash Notice: PaperCut - Patch Now, Critical Printer Software Vulnerabilities Exploited in the Wild (avertium.com)

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.

Chat With One of Our Experts




Threat Report ransomware Ransomware gang Ransomware Groups Rapture Ransomware Akira Ransomware Blog