Akira ransomware is a cyber threat that has gained notoriety for its sophisticated tactics and unique operational approach, which uses advanced techniques for persistence and lateral movement within networks. The group also employs sophisticated defense evasion methods, including using legitimate software tools to avoid detection by security measures. Monitoring and understanding its tactics are crucial for cybersecurity efforts as it continues to evolve into one of the major threats to data security.
Proven Data’s team has been at the forefront of combating this evolving threat, providing critical insights and guidelines to help organizations safeguard their data.
In this comprehensive article, we will explore the Akira ransomware group techniques, including how the attack happens and what to do if Akira compromises your systems or machines.
Akira ransomware overview
Akira’s effectiveness stems from several key characteristics that make it particularly challenging to combat. It operates on a Ransomware-as-a-Service (RaaS) model, allowing various affiliates to deploy the ransomware without extensive technical knowledge. This model expands its reach and enables the group to maintain a steady income stream through diverse ransom demands, ranging from $200,000 to over $4 million.
Additionally, Akira employs double-extortion tactics, where attackers exfiltrate sensitive data before encryption. This strategy increases pressure on victims to pay quickly, as they risk public exposure of their stolen information if they refuse.
The aesthetic of its data leak site—designed with a retro 1980s theme—adds a psychological element to its operations, creating a stark contrast with the high-stakes nature of its activities and making it memorable in the crowded ransomware landscape.
These factors collectively contribute to Akira’s reputation as a highly sophisticated and formidable threat in cybercrime.
Even though it shares the same name as an older ransomware strain from 2017, Akira is a completely new cyber threat gang with its own style. The people behind Akira, allegedly connected to the Conti gang, give victims a choice—either pay to unlock files or pay to delete their stolen data.
Akira ransomware variants
Since its emergence in March 2023, Akira ransomware has demonstrated a rapid evolutionary trajectory, introducing sophisticated variants that pose escalating threats to organizations worldwide. Two notable variants have emerged: Megazord and Akira_v2.
Timeline of Akira's evolution
By January 2024, merely ten months after its initial appearance, Akira had already impacted over 250 organizations globally, amassing approximately $42 million in ransom payments. This rapid growth and financial success have likely fueled the continued development of new variants.
- March 2023: Original Akira ransomware emerges, written in C++ and targeting Windows systems.
- April 2023: Akira expands to target Linux systems, specifically VMware ESXi virtual machines.
- August 2023: The Megazord variant is first observed, marking a significant shift in Akira’s development.
- Late 2023: Akira_v2 is identified, showcasing advanced features and capabilities.
- July 2024: The Akira ransomware significantly increases in activity, particularly affecting industries such as construction, manufacturing, and healthcare. This ransomware variant, recognized for its double extortion tactics, poses significant risks to organizations handling sensitive information, as highlighted by Chris Morrissey from Proven Data, who noted the uptick in incidents.
Megazord variant
First observed in August 2023, the Megazord variant represents a significant evolution in Akira’s arsenal:
- Language: Written in Rust, a departure from earlier C++ versions.
- File Extension: Encrypts files with a .powerranges extension, differing from the traditional .akira extension.
- Functionality: Demonstrates enhanced capabilities, leveraging Rust’s performance and security features.
Akira_v2 Variant
The Akira_v2 variant, identified through recent investigations, showcases further advancements:
- Dual Deployment: Akira threat actors have been observed deploying both Megazord and Akira_v2 in the same attack, targeting different system architectures.
- ESXi Focus: Akira_v2 is specifically designed to target VMware ESXi virtual machines, expanding the ransomware’s reach to critical infrastructure.
- Build ID Requirement: Adds a layer of protection, hindering dynamic analysis.
- VM-specific Options: Includes “vmonly” for targeting only virtual machines and “stopvm” for halting running VMs.
- Improved Encryption: Offers more granular control over CPU core usage, increasing encryption speed and efficiency.
- Ransom Note: Encrypted directories may contain files with the extension “akiranew” or a ransom note named “akiranew.txt.”
How to identify Akira ransomware: Main IOCs
Indicators of compromise (IOCs) are pieces of forensic data that can help identify malicious activity or malware associated with a cyber attack. It includes the encryption extension, file hashes, and IP addresses, among other details cyber criminals leave as they infect a machine or system.
But, if you can’t identify the ransomware strain through its IOCs, you can use Proven Data’s free ransomware ID tool to check if the Akira ransomware is the one that encrypts your files.
Important: Some of these indicators require technical knowledge of the infected system, so you may need to contact your IT team or a digital forensics service provider.
Akira ransomware IOCs include:
File Extensions
- .akira
- .powerranges
- .akiranew
File hashes
SHA-256, Secure Hash Algorithm 256-bit, is a cryptographic hash function that belongs to the SHA-2 family of hash functions. It’s designed to take an input message and produce a fixed-size output hash value of 256 bits (or 64 hexadecimal characters).
A hash is a function that takes an input (or ‘message’) and produces a fixed-size string of characters, which is typically a hexadecimal number. The output, known as the hash value or hash code, is unique to the input data.
SHA-256 is widely used in various security applications and protocols, including digital signatures, certificate generation, and integrity verification.
Windows versions of SHA-256 hash files
- 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
- 5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5
- 678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33
- 7b295a10d54c870d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488
- 8631ac37f605daacf47095955837ec5abbd5e98c540ffd58bb9bf873b1685a50
- 1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
- 9ca333b2e88ab35f608e447b0e3b821a6e04c4b0c76545177890fb16adcab163
- d0510e1d89640c9650782e882fe3b9afba00303b126ec38fdc5f1c1484341959
- 6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360
- d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca
- dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e
- bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138
- 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
- 1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386
- aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9
- 7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4
- 36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13c
Linux version of SHA-256 hash file
- 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296
- e1321a4b2b104f31aceaf4b19c5559e40ba35b73a754d3ae13d8e90c53146c0f
- 74f497088b49b745e6377b32ed5d9dfaef3c84c7c0bb50fabf30363ad2e0bfb1
- 3d2b58ef6df743ce58669d7387ff94740ceb0122c4fc1c4ffd81af00e72e60a4
Akira_v2 Ransomware
- 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75
- 0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c
Megazord Ransomware
- ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc
- dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198
- 131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07
- 9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c
- 9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065
- 2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83
- 7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be
- 95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a
- 0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d
- C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0
Persistence and discovery
- nltest /dclist:
- nltest /DOMAIN_TRUSTS
- net group “Domain admins” /dom
- net localgroup “Administrators” /dom
- tasklist
- rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\windows\temp\lsass.dmp full
Credential access
- cmd.exe /Q /c esentutl.exe /y “C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db” /d “C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<firefox_profile_id>.default-release\key4.db.tmp”
- cmd.exe /Q /c esentutl.exe /y “C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data” /d “C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp”
Impact
- powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”
How Akira ransomware works - Tactics, Techniques, and Procedures (TTPs)
Akira ransomware, a formidable digital adversary, orchestrates a multifaceted intrusion marked by sophisticated tactics and strategic exploitation. This overview delves into the Tactics, Techniques, and Procedures (TTPs) of Akira ransomware, unraveling its modus operandi from initial access to the impactful encryption of targeted systems.
Initial Access
Akira ransomware initiates its intrusion through diverse methods, frequently exploiting compromised Virtual Private Network (VPN) credentials. Notably, it specifically targets vulnerable systems, with a keen focus on Cisco VPNs. Exploiting distinct vulnerabilities, such as the zero-day CVE-2023-20269 in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, the ransomware gains an initial foothold in the victim’s environment.
Additionally, it can leverage valid accounts to gain access to the network, significantly broadening its entry points. By exploiting these legitimate credentials, Akira can bypass traditional security measures, making it easier to infiltrate targeted systems. This tactic enhances its initial access and allows for deeper penetration within the network, facilitating further malicious activities such as lateral movement and data exfiltration.
Persistence
Upon infiltrating a system, Akira ensures its continued presence and control by establishing persistence. This involves the creation of a new domain account within the compromised system. By doing so, the ransomware guarantees ongoing access, allowing it to operate stealthily and execute its malicious activities without detection.
It may also create local accounts to reinforce control and ensure ongoing access. This tactic involves establishing new user accounts on the compromised machine that are not tied to any existing legitimate users. By doing so, the ransomware operators can maintain a foothold in the environment even if the original access point is discovered and closed.
These newly created accounts can be configured with administrative privileges, enabling the ransomware to execute commands and deploy additional malicious tools without raising alarms. This persistence strategy is crucial for the attackers, as it ensures they can return to the system at any time, facilitating further exploitation and data exfiltration.
Moreover, by having multiple local accounts, Akira can obfuscate its activities and make it more challenging for cybersecurity teams to trace its movements within the network. This method of account creation significantly enhances the ransomware’s ability to operate undetected and prolongs its presence in the compromised environment, ultimately increasing the potential damage it can inflict.
Defense Evasion
Akira employs advanced tools like PowerTool or a KillAV tool to thwart detection and impede security measures. It modifies system registries and utilizes legitimate software to avoid raising alarms. Leveraging the Zemana AntiMalware driver, it terminates processes related to antivirus software. This evasion tactic is crucial for the ransomware to operate undetected and maximize the impact of its malicious activities.
Discovery
Akira’s operators engage in thorough reconnaissance using a suite of tools. PCHunter and SharpHound are utilized to gather detailed system information. Additionally, AdFind, along with net Windows commands, extracts valuable domain information. Advanced IP Scanner and MASSCAN are key in identifying other remote systems connected to the victim’s network.
Lateral Movement
To enhance its lateral movement within the victim’s network, Akira ransomware employs tools like Mimikatz, LaZagne, or specific command lines.
These tools are instrumental in extracting credentials and providing the ransomware with the necessary access to move laterally and escalate its impact within the compromised environment.
This strategic approach allows Akira to spread seamlessly within the victim’s infrastructure, broadening its reach and intensifying the scope of its ransomware activities.
Command and Control
Akira ensures control and facilitates the exfiltration of stolen information through the utilization of third-party tools and web services. Tools like RClone, AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk, and Ngrok are employed to establish command and control, enabling the ransomware to operate effectively and exfiltrate sensitive data.
Exfiltration
The exfiltration of stolen information is orchestrated using RClone, a third-party tool and web service. Additionally, Akira may leverage FileZilla or WinSCP to transfer data via File Transfer Protocol (FTP). This systematic approach allows ransomware to discreetly remove sensitive information from the compromised environment.
Encryption
Akira employs a sophisticated hybrid encryption algorithm, combining Chacha20 and RSA, to encrypt targeted systems effectively. It adapts its encryption methods based on the file type and size, supporting full, partial, and spot encryption modes.
Impact
Upon successful encryption, Akira appends the “.akira” extension to encrypted files, impeding system recovery by deleting shadow copies. It strategically targets specific directories while avoiding the encryption of predefined file types and extensions.
Important: Do not pay the ransom. Paying the ransom does not guarantee that you will get your data back, and it may encourage the attackers to continue their criminal activities. Check our in-depth article on what happens if you pay the ransom.
How to handle an Akira ransomware attack
It is important to note that handling a ransomware attack can be complex and requires expertise. Therefore, it is recommended to seek professional help from a reputable data recovery service, such as Proven Data to help you recover your data and remove the ransomware from your system.
You can also report the attack to law enforcement agencies, such as the FBI and cybersecurity organizations, to help prevent future attacks and catch the perpetrators.
We strongly recommend contacting cybersecurity services to handle ransomware attacks. Proven Data technicians not only retrieve ransomware-encrypted data but also create forensic reports and streamline incident response, minimizing your business downtime and financial loss.
