In March 2023, Avertium published a Threat Intelligence Report featuring 2023’s ransomware group trends. In the report, we detailed the activity of LockBit, BlackCat, Royal, Vice Society, and Medusa. At the time, ransomware activity appeared to be declining with a 12.9% reduction in the yearly rate of publicly reported victims. There was also a significant decline of 41% after December 2022.
Chainalysis revealed that ransom payments related to ransomware attacks are decreasing, with the decline being attributed to the dismantling of major ransomware groups like Conti and HIVE. Despite this trend, ransomware groups are still active, as seen by recent attacks by Clop and LockBit, who exploited a critical vulnerability in PaperCut (CVE-2023-27350 and CVE-2023-27351), as well as Black Basta's breach of Yellow Pages Canada and Medusa's targeting of healthcare organizations. These attacks prove that the security community cannot afford to let their guard down when it comes to ransomware, even during periods of reduced activity.
While it may appear that the same ransomware groups are frequently making headlines, this month has seen activity from two lesser-known ransomware groups that are not currently in the spotlight. Let’s look at the ransomware groups Akira and Rapture, and their recent activity.
The Akira ransomware group, a relatively new player in the ransomware market, has claimed responsibility for three recent attacks. The victims include 4LEAF, an American engineering consultancy business; Park-Rite, a U.S.-based packaging materials manufacturer; and Family Day Care Services, a Canadian childcare service. Akira listed the names of the three victims on their leak site threatening to release company records if they refuse to pay a ransom.
Image 1: Akira's Leak Site
Akira’s latest victim is BridgeValley Community and Technical College. The college, which is based in West Virginia, was added to the group’s shame site on May 1, 2023. The college acknowledged the ransomware attack, which caused a network outage on April 4th.
The first victim listed on Akira’s leak site is a UK-based architecture firm, with Akira claiming to have stolen more than 11 GB of data from the company. The second victim is a U.S.-based IT services company, with a ransom demand of $100,000. The third victim is a European pharmaceutical company, with a ransom demand of $50,000.
Akira appears to be focused on targeting small and medium-sized businesses, with ransom demands ranging from $50,000 to $500,000. Some of the data they have stolen from various businesses has already been sold on the dark web. Their first attack was reported in March 2023.
The group uses a variety of tactics to gain access to their victims' systems, including phishing emails and exploiting unpatched vulnerabilities in software. They also have a history of using remote desktop protocol (RDP) brute force attacks to gain access to networks.
Researchers discovered the ransomware Trojan on August 28, 2017, and at that time, it appeared to be in its testing phase. The Trojan is currently being distributed by targeting unprotected websites, with a specific focus on WordPress sites. Once infected, Akira drops one or multiple payload files into the directories listed below:
After infection, a ransom note is left before the ransomware creates multiple registry values in Windows, such as the Run and RunOnce registries. The presence of .akira files means that your data has likely been encrypted by Akira ransomware, which also means that the ransomware has singled out files with extensions like:
Once encryption is complete, the ransomware creates the file types seen in image 2.
Image 2: File Types
Unlike most ransomware Trojans, the current version of Akira ransomware doesn't encrypt a wide range of file types. As observed above, the ransomware appears to target mostly video files in its attacks. According to the researchers at Enigma Software, this could mean that Akira is either targeting specific platforms that deal with video files or, more likely, the ransomware is still in development. During attacks, Akira uses a combination of AES and RSA encryption to render the victim's files inaccessible. In addition to encrypting victim's files, Akira will also remove the Shadow Volume copies of the files. This is done to prevent users from recovering their files using alternative methods.
Rapture ransomware was initially observed by Trend Micro in March and April 2023. Interestingly, the ransomware has a minimalistic way of targeting victims, using tools that leave a minimal footprint behind. This allows Rapture to carry out its ransomware attacks quickly.
Researchers observed that during the execution of Rapture, a memory dump shows a configuration file for an RSA key, similar to the one used by Paradise ransomware. To make analysis more challenging, the attackers used Themida, a commercial packer, to pack the ransomware. Rapture requires a minimum of .NET 4.0 framework to execute correctly, which suggests further similarities with Paradise, known to be compiled as a .NET executable. As a result, the ransomware was named Rapture, a closely related nomenclature to Paradise.
In April 2023, ransomware activity was found that seemed to be injected into legitimate processes. After the activities were traced back to the source process, it was found that the ransomware was actively loaded into memory from a Cobalt Strike beacon. The attackers sometimes dropped the ransomware as a *.log file in a folder or drive:
Rapture then drops its notes to every traversed directory, with the first six characters appearing to be random but are actually hard-coded string configurations:
After appending the same six characters to these encrypted files: *.7qzxid and *.qiSgqu, the ransomware requires specific command lines to execute properly. When the correct argument is provided to the malicious file, it initiates the ransomware process.
Image 3: Ransomware File Packed Using Themida
Also, the entire infection process lasts a maximum of three to five days, starting from the discovery of the reconnaissance commands. To ensure a more successful attack, Rapture's operators first inspect firewall policies, check the PowerShell version, and check for vulnerable Log4j applets.
The ransomware note dropped by Rapture, has some similarities to Zeppelin ransomware. However, researchers are highly confident that the Rapture is not a variant of Zeppelin. After examining the note, Trend Micro found that Rapture ransomware has been around for quite some time, but there were no samples available during its initial sighting in November 2022. Finally, the malware initiates a connection with the C2 and obtains commands and additional payloads from there.
Image 4: Ransomware Note Left by Rapture
Akira may be a new player in the field, but their tactics and ransom demands are similar to other ransomware groups. Despite the use of stealthy and difficult-to-analyze tactics such as memory-based payload attacks and small-size infection chains by Rapture ransomware, it is still important to adhere to best practices for dealing with both ransomware groups.
Organizations can implement a robust and multifaceted strategy to safeguard possible entry points into their systems, including endpoints, emails, websites, and networks. They can utilize security solutions capable of identifying malicious elements and suspicious activity to protect themselves from ransomware attacks. To increase cyber resilience in ransomware response, consider the following:
Rapture
Akira
At this time, there are no known IoCs associated with Akira ransomware. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
Akira
Rapture
Because the cyber landscape is always changing, it is imperative to be aware of new cyber attack strategies and techniques. Avertium is here to keep you informed and to keep your organization safe. We recommend the following services for the best protection against ransomware attacks:
Related Resource:
Ransomware gangs display ruthless extortion tactics in April | TechTarget
Paradise Ransomware’s Source Code Now Available on a Hacker Forum | Cyware Alerts - Hacker News
Rapture, a Ransomware Family With Similarities to Paradise (trendmicro.com)
Akira Virus Ransomware [.akira Files] Remove + Restore (sensorstechforum.com)
Akira Ransomware Lists Three Victims After Sprucing Up Site (thecyberexpress.com)
Akira Ransomware Removal Report (enigmasoftware.com)
New Rapture Ransomware Bears Notable Similarities with Paradise | Cyware Alerts - Hacker News
Ransomware review: April 2023 (malwarebytes.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.