Akira
Akira Ransomware Group is known for its "retro aesthetic" and for primarily exploiting vulnerabilities in VPN services and known Cisco vulnerabilities.
The origin of Akira ransomware
The Akira ransomware group, first observed in March 2023, is known for its sophisticated ransomware attacks targeting various industries worldwide. There is speculation about its ties to the former CONTI ransomware group, as several CONTI affiliates migrated to independent campaigns like Royal, BlackBasta, and potentially Akira after CONTI ceased operations. This group operates under a Ransomware-as-a-Service (RaaS) model, enabling affiliates to use the ransomware in exchange for a share of the ransom payments.
Reports suggest that Akira affiliates also work with other ransomware operations such as Snatch and BlackByte, evidenced by an open directory of tools used by an Akira operator that had connections to the Snatch ransomware. The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt', which was partially based on the Conti V2 source code. On June 29, 2023, a decryptor for this version was reportedly released by Avast due to a flaw in its encryption mechanism.
Subsequently, on July 2, 2023, a new version was released that fixed the decryption flaw. This version is said to be written in Rust, named 'megazord.exe', and changes the extension of encrypted files to '.powerranges'. Most of Akira's initial access vectors involve brute-force attempts on Cisco VPN devices that use single-factor authentication, making them vulnerable to unauthorized access. Additionally, the group has been identified exploiting known vulnerabilities—specifically CVE-2019-6693 and CVE-2022-40684—to gain initial access to target systems.
Akira's origin remains unclear, but its activities suggest a high level of technical expertise and organization.
Cartography: OCD
Targets
Akira ransomware's targets
Countries targeted by Akira
Akira has shown a global reach, with confirmed attacks in North America, Europe, and Asia. Their indiscriminate targeting pattern suggests a focus on exploiting vulnerable systems regardless of geographic location.
Image source: Ransomware.live
Industries targeted by Akira
Akira ransomware has targeted a wide range of industries, including healthcare, financial services, education, and manufacturing. Their attacks have disrupted critical services and operations, causing significant financial and reputational damage to the affected organizations.
Screenshot source: Cyble
Industries targeted by Akira
Akira ransomware has targeted a wide range of industries, including healthcare, financial services, education, and manufacturing. Their attacks have disrupted critical services and operations, causing significant financial and reputational damage to the affected organizations.
Screenshot source: Cyble
Akira's victims
More than 341 victims have been targeted by Akira. Notable victims include major healthcare institutions, leading universities, and prominent financial firms. These attacks often result in the exfiltration of sensitive data, which is then used to pressure victims into paying the ransom.
Source: ransomware.live
Attack Method
Akira's Attack Method
Akira typically gains initial access through phishing emails, exploiting vulnerabilities in public-facing applications, or leveraging compromised credentials. They often use spear-phishing to target specific individuals within organizations.
Once inside the network, Akira uses various techniques to escalate privileges, such as exploiting known vulnerabilities and using legitimate administrative tools to gain higher-level access.
To avoid detection, Akira employs sophisticated evasion techniques, including disabling security software, using obfuscation, and deleting logs to cover their tracks.
Akira collects credentials through keylogging, credential dumping, and using tools like Mimikatz to harvest passwords from infected systems.
The group conducts thorough reconnaissance to map out the network, identify critical assets, and understand the organization's structure. They use tools such as PowerShell and custom scripts for this purpose.
Akira moves laterally across the network using compromised credentials, exploiting trust relationships, and using tools like RDP and SMB to propagate.
Data collection involves gathering sensitive information, intellectual property, and personal data, which is then exfiltrated for extortion purposes.
The ransomware payload is executed, encrypting files on the victim's systems. Akira uses robust encryption algorithms to ensure files cannot be recovered without the decryption key.
Before encryption, Akira exfiltrates sensitive data to external servers under their control, leveraging encrypted communication channels to avoid detection.
The impact phase involves the finalization of encryption and the delivery of the ransom note, which demands payment in exchange for the decryption key and the promise to delete the exfiltrated data.
Initial Access
Akira typically gains initial access through phishing emails, exploiting vulnerabilities in public-facing applications, or leveraging compromised credentials. They often use spear-phishing to target specific individuals within organizations.
Privilege Escalation
Once inside the network, Akira uses various techniques to escalate privileges, such as exploiting known vulnerabilities and using legitimate administrative tools to gain higher-level access.
Defense Evasion
To avoid detection, Akira employs sophisticated evasion techniques, including disabling security software, using obfuscation, and deleting logs to cover their tracks.
Credential Access
Akira collects credentials through keylogging, credential dumping, and using tools like Mimikatz to harvest passwords from infected systems.
Discovery
The group conducts thorough reconnaissance to map out the network, identify critical assets, and understand the organization's structure. They use tools such as PowerShell and custom scripts for this purpose.
Lateral Movement
Akira moves laterally across the network using compromised credentials, exploiting trust relationships, and using tools like RDP and SMB to propagate.
Collection
Data collection involves gathering sensitive information, intellectual property, and personal data, which is then exfiltrated for extortion purposes.
Execution
The ransomware payload is executed, encrypting files on the victim's systems. Akira uses robust encryption algorithms to ensure files cannot be recovered without the decryption key.
Exfiltration
Before encryption, Akira exfiltrates sensitive data to external servers under their control, leveraging encrypted communication channels to avoid detection.
Impact
The impact phase involves the finalization of encryption and the delivery of the ransom note, which demands payment in exchange for the decryption key and the promise to delete the exfiltrated data.
MITRE ATT&CK Mapping
TTPs used by Akira
TA0001: Initial Access
T1566
Phishing
T1190
Exploit Public-Facing Application
T1133
External Remote Services
T1078
Valid Accounts
TA0002: Execution
No items found.
TA0003: Persistence
T1136
Create Account
T1078
Valid Accounts
TA0004: Privilege Escalation
T1078
Valid Accounts
TA0005: Defense Evasion
T1562
Impair Defenses
T1078
Valid Accounts
TA0006: Credential Access
T1003
OS Credential Dumping
TA0007: Discovery
T1482
Domain Trust Discovery
T1082
System Information Discovery
T1069
Permission Groups Discovery
T1057
Process Discovery
T1016
System Network Configuration Discovery
T1018
Remote System Discovery
TA0008: Lateral Movement
No items found.
TA0009: Collection
T1560
Archive Collected Data
TA0011: Command and Control
T1219
Remote Access Software
T1090
Proxy
TA0010: Exfiltration
T1567
Exfiltration Over Web Service
T1537
Transfer Data to Cloud Account
T1048
Exfiltration Over Alternative Protocol
TA0040: Impact
T1490
Inhibit System Recovery
T1657
Financial Theft
T1486
Data Encrypted for Impact
Platform Detections
How to Detect Akira with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is Akira ransomware?
Akira ransomware is a sophisticated malware used by cybercriminals to encrypt files and extort victims for ransom payments.
How does Akira gain access to networks?
Akira gains initial access through phishing emails, exploiting vulnerabilities, and using compromised credentials.
What industries does Akira target?
Akira targets a wide range of industries, including healthcare, financial services, education, and manufacturing.
What techniques does Akira use to evade detection?
Akira uses techniques such as disabling security software, obfuscation, and log deletion to evade detection.
How does Akira escalate privileges within a network?
Akira exploits known vulnerabilities and uses legitimate administrative tools to gain higher-level access.
What kind of data does Akira exfiltrate?
Akira exfiltrates sensitive information, intellectual property, and personal data before encrypting files.
How does Akira encrypt files?
Akira uses robust encryption algorithms to ensure files cannot be recovered without the decryption key.
What is the impact of an Akira ransomware attack?
The impact includes data encryption, service disruption, and financial loss due to ransom payments and recovery efforts.
Can Akira ransomware be detected and stopped?
Detection and prevention require robust security measures, including extended detection and response (XDR) solutions, regular software updates, and employee training.
What should organizations do if they are infected by Akira ransomware?
Organizations should disconnect affected systems, report the incident to authorities, and seek professional cybersecurity assistance to mitigate the damage and recover data.