Threat Brief: Understanding Akira Ransomware

Overview

Akira is a prolific ransomware that has been operating since March 2023 and has targeted multiple industries, primarily in North America, the UK, and Australia. It functions as a Ransomware as a Service (RaaS) and exfiltrates data prior to encryption, achieving double extortion. According to the group's leak site, they have infected over 196 organizations.

When looking at the history of Akira, one must go back to the Conti group. They suffered a massive leak that divulged their source code, chat logs, playbooks, and storage servers in March of 2022. The group then ceased operations in May 2022. This resulted in many of its members and affiliates resurfacing later under distinct brands such as Black Basta, BlackByte, and Krakurt. Akira is another such ransomware that not only has code overlap with Conti but also has had operators that mingled funds with Conti affiliated wallet addresses. This shows that there is a clear overlap between Conti and Akira.

Technique Tactics & Procedures

The TTPs used by actors associated with RaaS are similar, and Akira is no different.

A typical campaign starts when Akira affiliates use compromised credentials or vulnerabilities to gain initial access to a victim's environment.

They then generally perform reconnaissance by gathering details from the Active Directory and scan the network to identify machines for Lateral Movement.

The actors have also been observed using several different tools and persistence techniques to expand and maintain their access.

Credentials are dumped via the following tools and methods.

Lateral Movement is achieved via RDP with valid accounts or via remote shares.

Akira affiliates have used several interesting methods to bypass defenses.

They then collect files, archive them, and exfiltrate them. This data is leaked on Akira's TOR site if the victims do not make payments.

System backups are also destroyed prior to data encryption.

Sample Analysis

MD5: e57340a208ac9d95a1f015a5d6d98b94

Qualys's TRU recently acquired a new Akira sample that has been active in the wild. We will focus on some interesting aspects of this sample.

The ransomware creates a log file of its execution of the format Log-date-month-year-hour-minute-second.txt.

Akira takes several command line arguments that define its behavior.

Akira deletes shadow copies by using the command

powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

Akira uses the Windows restart manager APIs to kill processes to free up targeted files for encryption.

Like Conti, Akira also uses the ChaCha algorithm for file encryption. Another interesting fact is that the encryption notes contain a code that victims use to log in to Akira's chat messenger.

Detections & Threat Hunting

Qualys's EDR & EPP offering provides comprehensive coverage against advanced threats. Akira is detected and quarantined as soon as it is downloaded on the victim's machine.

Qualys also provides advanced ransomware protection that prevents encryption of personal or sensitive files by automatically creating backup files that are restored after the malware is blocked.

Qualys's EDR also has several behavioral detections to identify such threats. Existing customers can use the following Threat Hunting QQLs to search their environment for Akira TTPs.

Conclusion

RaaS has emerged as a significant threat in the landscape because it enables even low-skilled actors to deploy highly sophisticated ransomware attacks. Akira continues to steadily result in more victims as it continues to spread. Organizations should secure their perimeter by using defenses like multi-factor authentication (MFA) and rely on an EDR product to protect against such threats on the endpoint.

MITRE ATT&CK Techniques

Indicators of Compromise

Subscribe to the Qualys blog to get notified of the latest threat intelligence, vulnerabilities, and cybersecurity updates.

Related

Public link

Please use the above public link if you want to share this noodl on another website.