Table of Contents
Akira ransomware, a relatively new but highly impactful player in the cybercrime landscape, has quickly risen to prominence since its emergence in March 2023. Operating under the Ransomware-as-a-Service (RaaS) model, Akira employs a double-extortion strategy, exfiltrating sensitive data before encrypting systems, significantly increasing the pressure on victims to pay ransoms. This article provides a deep dive into Akira's origins, evolution, tactics, techniques, and procedures (TTPs), target profile, attack campaigns, and, most importantly, effective defense strategies. The information presented here is based on collaborative reports from cybersecurity agencies, including the FBI, CISA, Europol's EC3, and the Netherlands' NCSC-NL, as well as research from various cybersecurity firms.
Origins & Evolution
Akira ransomware was first observed in March 2023. While initially targeting Windows systems with a C++ based payload that appended the .akira extension to encrypted files, the group quickly evolved. By mid-2023, they expanded their operations to include a Linux variant specifically designed to target VMware ESXi virtual machines, a common practice among ransomware groups seeking to maximize impact on enterprise environments.
A significant development occurred around August 2023 with the introduction of Megazord, a Rust-based variant that encrypted files with the .powerranges extension. Furthermore, a novel variant called Akira_v2, also Rust-based, was discovered, featuring more tailored encryption capabilities and the .akiranew extension. Akira_v2 is designed to insert additional threads to allow more granular control over CPU cores, increasing the speed and efficiency of the encryption process. Akira_v2 also has the ability to only deploy against virtual machines with a command-line option "vmonly" and stop any running virtual machines with "stopvm". These different variants demonstrate Akira's continuous development and adaptation to evade detection and maximize its impact.
There is strong evidence suggesting a connection between Akira and the dismantled Conti ransomware group. Code similarities have been observed, and some individuals associated with Akira have been linked to cryptocurrency wallets previously used by Conti affiliates. This suggests that Akira may be one of several ransomware groups that emerged following Conti's shutdown, effectively filling a void in the cybercrime ecosystem. This lineage is crucial for understanding Akira's capabilities and potential future trajectory.
Tactics & Techniques
Akira ransomware employs a range of tactics and techniques throughout the attack lifecycle, from initial access to impact. Understanding these TTPs is critical for effective defense.
Initial Access: Akira's primary initial access vector is through compromised VPN credentials, particularly targeting VPN services lacking multi-factor authentication (MFA). They are known to exploit known vulnerabilities in Cisco products (CVE-2020-3259, CVE-2023-20269). Other methods include spear phishing (with malicious attachments or links), abuse of Remote Desktop Protocol (RDP), and the use of stolen, valid credentials. Other vulnerabilities noted include: CVE-2021-21972 (VMware vCenter Server), CVE-2019-6693 (Draytek Vigor), CVE-2022-40684 (Fortinet), CVE-2023-20269 (Citrix Bleed), CVE-2024-37085, CVE-2024-40711, and CVE-2024-40766. One way they do this is through brute force.
Persistence: After gaining access, Akira establishes persistence by creating new domain accounts (e.g., "itadm") on domain controllers. They may also use scheduled tasks and compromise valid accounts.
Discovery/Reconnaissance: Akira performs extensive reconnaissance within the compromised network. This includes:
* Active Directory Enumeration: Using tools like Get-ADUser, Get-ADComputer, AdFind, and SharpHound to gather information about users, systems, and organizational structure.
* Network Scanning: Employing tools like SoftPerfect Network Scanner (netscan.exe), Advanced IP Scanner, PCHunter, MASScan, and reconftw to identify potential targets and map the network.
* Using net commands to identify domain controllers and domain trust relationships.
Credential Access: Akira actively seeks to obtain credentials through various methods:
* Credential Scraping: Using tools like Mimikatz and LaZagne to extract credentials from LSASS memory.
* NTDS Dumping: Extracting the NTDS.dit file, which contains Active Directory user password hashes.
* Using tools like Comsvcs.dll
Lateral Movement: Once inside the network, Akira moves laterally to access high-value targets:
* Remote Desktop Protocol (RDP): Using valid accounts to access other systems via RDP.
* Network Shares: Accessing shared drives and resources.
* PsExec: Using the PsExec utility to execute commands on remote systems.
Defense Evasion: Akira employs several techniques to evade detection and security controls:
* Disabling Security Software: Using tools like PowerTool to exploit the Zemana AntiMalware driver and disable security products.
* Disabling Windows Defender: Adding exclusions to Windows Defender to prevent detection.
* Terminator: BYOVD (Bring Your Own Vulnerable Driver) attacks to disable security products.
* Virtual Machines: Creating new virtual machines to hide adversary behavior.
* Modifying Registry: Modifying the Userlist registry to hide accounts on the login screen and modifying the DisableRestrictedAdmin registry key.
Exfiltration: A critical component of Akira's double-extortion strategy is data exfiltration before encryption. They use various tools for this purpose:
* FileZilla, WinSCP, RClone: These tools are used to transfer stolen data to attacker-controlled servers.
* Command and Control: Utilizing legitimate remote access and tunneling tools like RSAT-AD, SystemBC, NetCat, AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, Ngrok, RustDesk, and SSH.
* Exfiltration Paths: FTP, SFTP, and cloud storage services (e.g., Mega).
Impact/Encryption: The final stage involves encrypting files and demanding a ransom. Key characteristics include:
* Double Extortion: Data is exfiltrated before encryption, increasing the pressure on victims.
* Ransom Notes: Notes contain unique codes and .onion URLs for contacting the attackers. No initial ransom demand is typically made, and payments are requested in Bitcoin.
* Threat of Publication: Stolen data is threatened to be published on the Tor network if the ransom is not paid. In some cases, the attackers also make phone calls to the victims.
* Encryption Scheme: A hybrid approach using the ChaCha20 stream cipher with RSA. The encryption is tailored based on file type and size (full or partial encryption). This is similar to the Conti ransomware encryption scheme.
* Deletion of Volume Shadow Copies: PowerShell commands are used to delete Volume Shadow Copies (VSS), hindering data recovery efforts.
Targets or Victimology
Akira ransomware has impacted a wide range of businesses and critical infrastructure entities across North America, Europe, and Australia. Their targeting appears to be opportunistic rather than strictly focused on specific sectors. However, certain industries have been disproportionately affected, including:
Manufacturing:
Engineering:
Agriculture:
Business Sector:
Financial Services:
Higher Education:
Technology:
Critical Infrastructure:
Legal
Healthcare:
Construction:
Real Estate:
Geographically, while Akira operates globally, a significant number of victims have been located in Western countries, particularly the United States, Canada, the United Kingdom, France, and Germany. Some reports suggest that the malware is designed to avoid execution on systems with Russian language keyboards, which could indicate a potential association with Russia-based actors, although this is not definitive proof of origin.
The impact of Akira attacks extends beyond financial losses. Data breaches, operational disruptions, and reputational damage are significant consequences. The targeting of critical infrastructure highlights the potential for widespread societal impact. The healthcare sector has seen a surge in breaches.
Attack Campaigns
Akira ransomware has been associated with numerous high-profile attacks since its emergence. Some notable campaigns or incidents include:
Stanford University: 430 GB of data allegedly stolen.
Mass Victim Leak (November 2024): The group has added over 100 victims to their data leak site with 35+ victims' details published on the leak site in a single day, demonstrating a rapid and aggressive expansion.
Tietoevry (Cloud Provider): An attack in January 2024 affected numerous major Swedish providers, showcasing Akira's ability to disrupt large-scale operations.
Nissan Australia: Attack in January 2023, data stolen.
Blue Yonder: A major supply chain vendor attack that caused operational disruptions for prominent companies.
Numerous Small and Medium-Sized Businesses: While large-scale attacks gain more attention, Akira also targets smaller organizations, highlighting the pervasive nature of the threat. A recent ransomware attack impacted IT services.
Defenses
Defending against Akira ransomware requires a multi-layered approach incorporating proactive security measures, robust detection capabilities, and a well-defined incident response plan. Here are some key defense strategies:
Implement and Maintain a Robust Recovery Plan: This is the most critical defense. Maintain offline, segmented, and secure backups. Regularly test the recovery process to ensure its effectiveness. The 3-2-1 rule (3 copies of data, 2 different media, 1 offsite) is highly recommended.
Enforce Strong Password Policies: Implement strong, unique passwords for all accounts, particularly those with privileged access. Comply with NIST standards, and consider not requiring recurring password changes if passwords meet sufficient complexity requirements.
Mandate Multi-Factor Authentication (MFA): This is essential, especially for all remote access services, including VPNs, webmail, and access to critical systems. Akira's primary initial access vector exploits VPNs without MFA.
Keep Systems Patched and Updated: Prioritize patching known exploited vulnerabilities, especially in internet-facing systems. Regularly update operating systems, applications, and firmware.
Network Segmentation: Implement network segmentation to limit the lateral movement of ransomware within the network. This can contain an outbreak and reduce its impact.
Implement Network Monitoring Tools: Deploy network monitoring tools, including Endpoint Detection and Response (EDR) solutions, to detect abnormal activity, lateral movement, and data exfiltration attempts.
Filter Network Traffic: Block untrusted origins from accessing internal remote services. Implement strong firewall rules.
Install and Update Antivirus Software: Use reputable antivirus software with real-time detection capabilities. Ensure signatures are regularly updated.
Audit Accounts and Enforce Least Privilege: Regularly audit user accounts, especially privileged accounts. Enforce the principle of least privilege, granting users only the access they need to perform their job duties.
Disable Unused Ports and Protocols: Disable any unnecessary ports and protocols to reduce the attack surface.
Implement Email Security Measures: Use email security solutions to filter spam, scan attachments, and block malicious links. Implement email banners for external emails and disable hyperlinks.
Implement Time-Based Access for Accounts: Implement time-based access for accounts, especially privileged accounts. Consider Just-in-Time (JIT) access and a Zero Trust model.
Disable Command-Line and Scripting Activities and Permissions: Where possible, disable command-line and scripting activities and permissions to limit the ability of attackers to execute malicious code.
User Awareness Training: Regularly train employees on cybersecurity best practices, including how to recognize and avoid phishing emails, suspicious attachments, and social engineering attempts. Phishing simulation is very important.
Incident Response Plan: Have a tested and well-defined procedure to respond to cybersecurity attacks.
External Attack Surface Management (EASM): Use a tool to identify and fix vulnerabilities.
Operational Threat Intelligence: Leverage tools that provide insight on threat actors and their methods.
Validate Security Controls: Regularly test security controls against the MITRE ATT&CK techniques used by Akira (and other ransomware groups).
Conclusion
Akira ransomware represents a significant and evolving threat to organizations of all sizes and across various industries. Its RaaS model, double-extortion tactics, continuous development of new variants, and exploitation of known vulnerabilities make it a formidable adversary. The group's rapid expansion and aggressive operations, as evidenced by recent mass victim postings, underscore the urgency for organizations to strengthen their defenses. By understanding Akira's TTPs, implementing robust security measures, and maintaining a proactive security posture, organizations can significantly reduce their risk of falling victim to this dangerous ransomware. Staying informed about the latest developments and threat intelligence related to Akira is crucial for maintaining effective defenses in the ever-changing cyber threat landscape.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- February 24, 2025
- February 24, 2025
- February 24, 2025
- February 24, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- February 24, 2025
- February 24, 2025
- February 24, 2025
- February 24, 2025
