Understanding Akira: A Persistent Ransomware Threat

In the ever-evolving landscape of cybersecurity, staying informed about emerging threats is crucial for organizations to protect their digital assets. One such threat that has garnered attention is the ransomware group known as Akira, named after its inaugural ransomware strain unleashed in March 2023. Believed to have originated as a splinter cell from the Conti group, Akira has since established itself as a formidable adversary, employing sophisticated tactics to infiltrate and extort organizations worldwide.

Evolution of Tactics

Akira’s journey began with its initial ransomware, crafted in C++, before transitioning to a more advanced Rust-based variant called Megazord. This evolution underscores the group’s adaptability and commitment to staying ahead of cybersecurity defenses. However, what truly sets Akira apart is its adoption of a double extortion scheme. This tactic involves exfiltrating sensitive data before encrypting devices within a targeted network, amplifying the pressure on victims to comply with their demands.

 

Technique

Description

T1595

Active Scanning

T1589

Gather Victim Identity Information

T1590

Gather Victim Network Information

T1591.004

Gather Victim Org Information: Identify Roles

T1003.001

OS Credential Dumping: LSASS Memory

T1048

Exfiltration Over Alternative Protocol

T1021.001

Remote Services: Remote Desktop Protocol

T1059.001

Command and Scripting Interpreter: PowerShell

T1106

Native API

T1190

Exploit Public-Facing Application

T1486

Data Encrypted for Impact

T1490

Inhibit System Recovery

T1566

Phishing

T1584

Compromise Infrastructure

arget Preferences and Tactics

Akira exhibits a clear preference for victims in the United States and US-aligned countries such as the UK, Australia, and Canada. Industries such as Services & Goods, Manufacturing, Education, and Construction are among their favored targets due to their reliance on digital infrastructure and valuable data. The group employs various tactics, including dictionary attacks against Internet-exposed devices and exploiting known vulnerabilities such as CVE-2023-20269 within the Cisco ASA Authentication, Authorization, and Accounting (AAA) functionality.

 

Execution and Encryption

Once inside a network, Akira employs a range of tools and techniques for lateral movement, including dumping LSASS, using RDP, SMB, PCHunter64, LaZagne, and Mimikatz to harvest credentials. The group has also targeted specific vulnerabilities within backup solutions like Veeam to gain access to domain admin credentials. For exfiltration, Akira prefers tools like RClone, WinSCP, and FileZilla. Following exfiltration, Akira or Megazord encrypts files selectively, deleting volume shadow copies through PowerShell to hinder recovery efforts.

 

Facing the Threat

Akira’s impact on organizations is profound, with an average of 18.5 successful attacks per month and ransom demands sometimes reaching into the hundreds of millions. To mitigate the risk posed by Akira and similar ransomware groups, organizations must prioritize cybersecurity measures. This includes implementing robust incident response protocols, regularly updating software and patches to address known vulnerabilities, and educating employees about the importance of cybersecurity hygiene.

 

In conclusion, while the threat posed by Akira is significant, proactive measures can help organizations bolster their defenses and minimize the risk of falling victim to ransomware attacks. By remaining vigilant and adopting a multi-layered approach to cybersecurity, organizations can mitigate the impact of ransomware threats and safeguard their valuable data and assets.

Related Blogs