The cybersecurity landscape is constantly evolving, with ransomware attacks posing a significant threat to businesses and critical infrastructure worldwide. Among the emerging threats, Akira ransomware has rapidly gained notoriety since March 2023, impacting over 250 organizations and amassing approximately $42 million in illicit proceeds by the start of 2024. This sophisticated ransomware targets a wide range of sectors across North America, Europe, and Australia, initially focusing on Windows systems before expanding to Linux variants targeting VMware ESXi virtual machines. Understanding the intricacies of Akira ransomware, including its tactics, techniques, and procedures (TTPs), is crucial for organizations seeking to bolster their defenses. This guide, drawing upon insights from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL), provides a comprehensive overview of Akira ransomware and actionable mitigation strategies. For network defenders seeking robust protection against ransomware threats, employing a proactive approach that includes utilizing a Cryptolocker Scan Tool and implementing the security measures outlined in this advisory is paramount.
Technical Deep Dive into Akira Ransomware
Akira ransomware, initially written in C++ and appending the .akira extension to encrypted files, evolved in August 2023 with the introduction of Megazord. Megazord, built with Rust-based code, uses the .powerranges extension. Notably, Akira threat actors interchangeably deploy both Megazord and Akira, including a variant known as Akira_v2, highlighting the adaptability and persistence of this threat.
Initial Access Vectors
Akira threat actors primarily gain initial access to victim networks through vulnerable virtual private network (VPN) services lacking multifactor authentication (MFA). Exploitation of known Cisco vulnerabilities, specifically CVE-2020-3259 and CVE-2023-20269, is a favored method.
Beyond VPN vulnerabilities, other initial access methods employed by Akira threat actors include:
- External-facing services: Remote Desktop Protocol (RDP) is frequently targeted, especially when not properly secured.
- Spear phishing: Malicious emails containing attachments or links are used to trick users into compromising their systems.
- Abuse of valid credentials: Compromised or stolen credentials provide direct entry points into targeted networks.
Persistence and Discovery within the Network
Once inside a network, Akira threat actors focus on establishing persistence and gathering critical information. Key activities include:
- Domain account creation: New domain accounts, often with administrative privileges (e.g.,
itadm), are created on domain controllers to ensure continued access. - Credential extraction: Techniques like Kerberoasting are used to extract credentials from the Local Security Authority Subsystem Service (LSASS) memory. Credential scraping tools such as Mimikatz and LaZagne are also deployed for privilege escalation.
- Network reconnaissance: Tools like SoftPerfect and Advanced IP Scanner are utilized for network device discovery, while
netWindows commands help identify domain controllers and map domain trust relationships.
Defense Evasion Tactics
Akira threat actors are adept at evading detection and security measures. A significant tactic involves deploying different ransomware variants tailored to specific system architectures within the same attack. For instance, the simultaneous deployment of Windows-specific “Megazord” and the Linux-based “Akira_v2” encryptor has been observed.
Furthermore, disabling security software is a common practice. Tools like PowerTool, exploiting the Zemana AntiMalware driver, are used to terminate antivirus processes, weakening defenses before encryption.
Data Exfiltration and Impact – The Double Extortion Model
Akira ransomware employs a double-extortion model. Before encryption, sensitive data is exfiltrated using tools like FileZilla, WinRAR, WinSCP, and RClone. Command and control channels are established through legitimate tools such as AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel, facilitating data transfer via FTP, SFTP, and cloud storage services like Mega.
The impact of Akira ransomware is severe, culminating in system encryption and data theft. After exfiltration, systems are encrypted, and a ransom note (fn.txt) containing a unique code and a .onion URL for communication is left for each victim. Notably, the ransom demand and payment instructions are only revealed after the victim initiates contact. Ransom payments are demanded in Bitcoin. To amplify pressure, threat actors threaten to publish stolen data on the Tor network and, in some cases, directly contact victim companies.
Encryption Mechanisms
Akira ransomware utilizes a sophisticated hybrid encryption scheme, combining the ChaCha20 stream cipher with RSA public-key cryptography. This approach balances speed and secure key exchange. Encryption methods are tailored based on file type and size, allowing for both full and partial encryption. Encrypted files are marked with either a .akira or .powerranges extension.
To hinder system recovery, the Akira encryptor (w.exe) uses PowerShell commands to delete volume shadow copies (VSS) on Windows systems. The enhanced Akira_v2 encryptor, written in Rust, offers greater control over encryption processes, including the ability to target virtual machines specifically and stop running VMs before encryption.
Tools Leveraged by Akira Ransomware Actors
Akira threat actors utilize a range of publicly available tools, often legitimate software repurposed for malicious activities.
Table 1: Tools Leveraged by Akira Ransomware Actors
| Name | Description |
|---|---|
| AdFind | Used to query and retrieve information from Active Directory. |
| Advanced IP Scanner | Network scanner to locate computers and scan ports, access shared folders, and provide remote control via RDP and Radmin. |
| AnyDesk | Remote access software used for remote access and persistence, also supports file transfer. |
| LaZagne | Password recovery tool for Windows, Linux, and OSX systems. |
| PCHunter64 | Tool for acquiring detailed process and system information. |
| PowerShell | Task automation solution used for various malicious activities. |
| Mimikatz | Tool to view and save authentication credentials like Kerberos tickets. |
| Ngrok | Reverse proxy tool to create secure tunnels to servers behind firewalls. |
| RClone | Command-line program to sync files with cloud storage services for exfiltration. |
| SoftPerfect | Network scanner to ping computers, scan ports, discover shared folders, and retrieve network device information. |
| WinRAR | File archiver used to compress and split data for exfiltration. |
| WinSCP | SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client used for data transfer. |
Indicators of Compromise (IOCs)
Identifying Indicators of Compromise (IOCs) is crucial for detecting and responding to Akira ransomware infections. Below are tables listing malicious files, commands, and ransomware samples associated with Akira.
Table 2a: Malicious Files Affiliated with Akira Ransomware
| File Name | Hash (SHA-256) | Description |
|---|---|---|
| w.exe | d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca | Akira ransomware |
| Win.exe | dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e | Akira ransomware encryptor |
| AnyDesk.exe | bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138 | Remote desktop application |
| Gcapi.dll | 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf | DLL for AnyDesk execution |
| Sysmon.exe | 1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386 | Ngrok tool for persistence |
| Config.yml | Varies by use | Ngrok configuration file |
| Rclone.exe | aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9 | Exfiltration tool |
| Winscp.rnd | 7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4 | Network file transfer program |
| WinSCP-6.1.2-Setup.exe | 36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13c | Network file transfer program |
| Akira_v2 | 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75 0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c | Akira_v2 ransomware |
| Megazord | ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198 131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07 9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c 9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065 2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83 7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be 95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a 0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0 | Akira “Megazord” ransomware |
| VeeamHax.exe | aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d | Plaintext credential leaking tool |
| Veeam-Get-Creds.ps1 | 18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88 | PowerShell for Veeam credentials |
| PowershellKerberos TicketDumper | 5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32 | Kerberos ticket dumping tool |
| sshd.exe | 8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694 | OpenSSH Backdoor |
| ipscan-3.9.1-setup.exe | 892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0 | Network scanner |
Table 2b: Malicious Files Affiliated with Akira Ransomware
| File Name | Hash (MD5) | Description |
|---|---|---|
| winrar-x64-623.exe | 7a647af3c112ad805296a22b2a276e7c | Network file transfer program |
Table 3: Windows Akira Ransomware Samples
| Hash (SHA-256)
