Category: Malware Intelligence
Region: World Wide
CloudSEK's Threat Research team investigated Akira Ransomware and Quick Highlights are as follows:
- First infection reported in 2017 by Karsten Hahn at Twitter.
- Targets both Windows-based and Linux-based systems.
- Utilizes Symmetric Encryption with CryptGenRandom() and Chacha 2008 for file encryption.
- Shares similarities with leaked Conti v2 ransomware according to Avast's research.
- Avast released a decryptor for Akira Ransomware targeting 64-bit and 32-bit Windows-based systems.
- Leaked data offered via Torrents and Direct download links on the same Tor-based website.
Victims Listed on website
- Hospitality Staffing Solutions - United States
- The City of Nassau Bay - Bahamas
- Computer Information Concepts Inc - United States
- Fersten Worldwide - Canada
- Malt Products - United States
- Schottenstein Property Group - United States
- Gregory Poole - United States
- Family Day Care Services - Australia
- Columbia Distributing - United States
- Ipleiria Student Branch - Portugal
- New World Travel, Inc - United States
- The Mitchell Partnership - Canada
- Mercer University - United States
- 4LEAF, Inc. - United States
- The McGregor - United States
- BridgeValley Community & Technical College - United States
- Thompson Builders - United States
- Alliance Sports Group - United States
- Pak-Rite, Ltd - United States
Analysis and Attribution
- Akira is a malicious ransomware strain designed to encrypt data on infected systems, appending the ".akira" extension to affected file names, and presenting victims with a ransom note named "akira_readme.txt." The ransomware operates by deleting Windows Shadow Volume Copies, making data recovery more challenging.
Propagation, Exploitation and Delivery:
- Akira is commonly distributed through various means, including infected email attachments containing macros, malicious ads, torrent websites, and pirated software.
- Additionally, based on the affiliates there exploitation of commonly unpatched vulnerabilities on VPN endpoints and leading to lateral movements were discovered that includes active exploitation of Vmware ESXI remote code execution
Ransom Note Overview:
- Upon infection, Akira presents a ransom note to the victim, claiming that the company's internal infrastructure is either partially or completely non-functional, with all backups removed. It also states that the attackers have accessed a significant amount of corporate data before encryption. The note includes reasonable ransom demands and offers a negotiation process to prevent severe financial consequences for the targeted organization.
Instructions for Negotiation:
- The ransom note provides guidance on contacting the cybercriminals via a Tor browser to access their chat room. A unique code is given for logging in, and the attackers emphasize that a swift response from the victim will minimize the potential damage.The payments are usually accepted through cryptocurrency.
- Like other ransomware variants, Akira can spread within a corporate network once it gains entry. It targets multiple devices and encrypts files to extract ransom payments. However, before initiating encryption, Akira deliberately avoids specific folders such as Recycle Bin, System Volume Information, Boot, ProgramData, and Windows, along with Windows system files bearing .exe, .lnk, .dll, .msi, and .sys extensions.
- A significant characteristic of Akira ransomware is the pre-encryption theft of sensitive corporate data. The attackers leverage this stolen information to extort victims, threatening to expose it publicly if the ransom is not paid promptly.
- Actively patch popular vulnerabilities released as Ransomware affiliates tend to mass exploit for convenience and easy exploitation to gain initial foothold inside the network.
- Block for commonly used extensions for delivering malware such as exe, pif, tmp, url, vb, vbe, scr, reg, cer, pst, cmd, com, bat, dll, dat, hlp, hta, js, wsf.
- Update the SIEM and SOAR with the below shared Threat Hunting rule for Akira Ransomware.
- Actively triage alerts for presence and usage of tools such as AnyDesk, WinRAR, and PCHunter which is commonly used during the process of archiving the data for exfiltration and remote backdoor connection.
Indicators of Compromise (IoCs)