Sedara Security Bulletin: Akira Ransomware
Summary
The Akira Ransomware Group is a new cybercriminal organization mainly targeting small and medium-sized organizations in the United States. Akria uses ransomware and data exfiltration to extort victims for money. This tactic, known as “double extortion”, mirrors those of other ransomware groups, where victims are pressured to pay to have their data decrypted and to not have their exfiltrated data posted publicly online. The Akira group’s first known attacks began in March 2023, and since then, over 63 organizations have been compromised. The group is believed to be made up of members of the now-defunct Conti ransomware group, which was believed to be based out of Russia.
Akira’s Tatics
Akira uses a variety of Tactics, Techniques, and Procedures (TTPs) to attack victims, and they’ve been known to target both Windows and Linux machines. Although each attack can vary, the following is a list of some of the TTPs that Akira has been observed using and in the general order they’ve been performed:
-
- Gain access to VPN connections that weren’t secured via MFA
- Enumerate networks with Netscan
- Steal credentials with Mimikatz, DonPAPI, and LSASS process dumps
- Move laterally with Remote Desktop
- Create new accounts in Active Directory
- Exfiltrate data with WinRAR and WinSCP
- Delete Windows Volume Shadow Copies from PowerShell
- Encrypt data with a malicious payload
Files encrypted by Akira are often appended with the .akira extension. Akira also leaves users with a typical ransom note, directing them to Akira’s site on the dark web to negotiate payments.
Behavior & Indicators of Compromise (IoCs)
- Akira often hides their malicious tools inside legitimate ones, such as Google Chrome portable executables, WinSCP, and Python
- The naming convention of the encryptor on the Windows system follows the pattern: win_locker_1234-ab-cdef-ghij.exe
- The encryption routine drops a ransom note file called akira_readme.txt in system directories
- Akira runs a PowerShell command to delete Windows Shadow Volume copies on devices
- Akira changes filenames to a “.akira” extension, for example “1.jpg” to “1.jpg.akira”
- For more technical details about indicators and the behavior of Akira ransomware, review the readings at the bottom of this bulletin
Defenses
Most cyberattacks, such as ransomware, can be prevented with the same best practice cybersecurity controls. Given Akira’s TTPs, ensure you have at least the following:
- In addition to technical controls on email, train users not to open untrusted links or attachments in emails. Akira has spread via phishing campaigns.
- Maintain malware protection on all endpoints.
- Enable MFA on all accounts and services, especially privileged accounts and remote access solutions.
- Separate the use of domain admin accounts from workstation admin accounts to prevent fallout from credential dumping.
- Segment the use of RDP to ensure only authorized users have the privilege and that RDP operates through a centralized jump server.
- Log, monitor, and alert on network activity to detect malicious activity, such as the deletion of Windows Volume Shadow Copies or the creation of new user accounts.
Remediation
In July, threat research company Avast released a tool that may recover files encrypted by Akira. This tool can be found at Avast’s website (avast.io).
Active Sedara SOC Customers
The Sedara Security Operation Center has taken measures to protect our customers by
- Adding hashes listed in the IoCs
- Blacklisting hashes in endpoint protection
- Raising awareness
Conclusion
There are many more best practice cybersecurity controls, and Sedara’s vCISOs can help you identify them and implement them. Also, Sedara’s Security Operations Center can assist your organization in detecting and responding to threats through 24x7x365 monitoring.
More Reading on This Topic
- Blog about Akira from Recon Infosec – https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
- Blog about Akira from Sophos – https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/
- Stop ransomware guide from CISA – https://www.cisa.gov/stopransomware/ransomware-guide