Dark Web Profile: Akira Ransomware

[Update] October 1, 2024: “What Are the Latest Akira News?”

Since its discovery in early 2023, Akira ransomware has evolved from a seemingly ordinary addition to the ransomware landscape to a significant threat affecting a wide range of businesses and critical infrastructure entities. This evolution, coupled with its unique aesthetic on its leak site and communications, has drawn attention to its operations.

As recently published CISA advisory claims, with over 250 organizations impacted and approximately $42 million (USD) in ransomware proceeds claimed as of January 1, 2024.

Who is Akira Ransomware

The ransom group employs a double extortion strategy, first exfiltrating data and then encrypting devices within the targeted network. Payment is then demanded not only for decrypting files but also for preventing the exposure of leaked data.

The ransomware’s name is believed to have its roots in a 1988 anime movie with a cyberpunk theme. In this film, Akira’s destruction of Neo-Tokyo is portrayed as a preventive measure against a malevolent force taking hold within the city.

This narrative parallels a common argument among ransomware operators who “claim” to perceive the world’s economic system as the source of evil. They often view themselves as modern-day Robin Hoods or Akiras, fighting against what they see as systemic injustices.

As suggested by CISA, Akira ransomware has impacted numerous businesses and critical infrastructure entities across North America, Europe, and Australia since March 2023. Initially focusing on Windows systems, the threat expanded in April 2023 to target VMware ESXi virtual machines with a Linux variant. As of January 1, 2024, the group has affected over 250 organizations and amassed approximately $42 million (USD) in ransomware proceeds.

Early versions of Akira ransomware, coded in C++, used a .akira extension for encrypted files. Starting in August 2023, some Akira attacks introduced Megazord, a Rust-based encryption tool using a .powerranges extension. The threat actors behind Akira have alternated between Megazord and Akira_v2 (identified by independent investigations) in their attacks.

Victimology

The Akira ransomware group frequently demands hefty ransoms, primarily targeting large enterprises across North America, Europe, and Australia. Typically, the malware spreads through targeted threat campaigns using phishing emails or exploiting software vulnerabilities, focusing on industries such as education, finance, manufacturing, and healthcare.

 The significant number of victims in the United States dominates the chart, extremely overshadowing other countries.

This targeted country list shows that the countries closely aligned with the United States, such as the European countries, account for most victims outside the US.

In order to display the victims on the ransomware group’s homepage, which resembles a command line interface, guests must input the “-leaks” command. This command lists the victims in chronological order, starting from the first victim to the most recent.

The victims’ details are accompanied by a torrent magnet link to access the alleged files, along with information regarding the victim, the amount of leaked data, and the portion of data that has been made public.

Again, the contact part is done from this interface. When the -contacts command is entered on the command line, the name and then the message are asked.

Modus Operandi

As specified in the CISA’s advisory:

Initial Access:

Akira threat actors primarily gain initial access to organizations through a Virtual Private Network (VPN) service lacking Multi-Factor Authentication (MFA), often exploiting known vulnerabilities in Cisco systems such as CVE-2020-3259 and CVE-2023-20269. Additional methods include Remote Desktop Protocol (RDP), spear phishing, and credential abuse.

Persistence and Discovery:

After gaining initial access, Akira actors establish persistence by creating new domain accounts and utilizing domain controllers. They leverage post-exploitation techniques like Kerberoasting to extract credentials and use credential scraping tools for privilege escalation. Network scanning tools aid in reconnaissance and identifying domain controllers.

Defense Evasion:

Akira actors may deploy multiple ransomware variants within the same attack, disable security software, and terminate antivirus-related processes to avoid detection.

Exfiltration and Impact:

Tools like FileZilla and WinSCP are used for data exfiltration, while AnyDesk and Ngrok establish command and control channels. Akira utilizes a double-extortion model, encrypts systems, and demands payment in Bitcoin. They threaten to publish data on the Tor network to pressure victims.

Encryption:

Akira employs a hybrid encryption scheme combining ChaCha20 and RSA algorithms, targeting specific file types and sizes. They delete volume shadow copies (VSS) and leave ransom notes to communicate with victims.

Leveraged Tools:

Akira actors use various tools such as AdFind, Advanced IP Scanner, AnyDesk, Mimikatz, RClone, WinRAR, WinSCP, and PowerShell for reconnaissance, remote access, credential theft, exfiltration, and system manipulation.

This Modus Operandi highlights Akira’s sophisticated techniques from initial access to impact, showcasing their evasion tactics, encryption methods, and utilization of diverse tools for malicious activities. For the full details please visit CISA.

MITRE ATT&CK TTP Table

For the existing IoCs you may also visit SOCRadar Platform.

How Can SOCRadar Help?

SOCRadar’s robust defense strategy is specifically designed to combat the ransomware threat. Our proactive approach to threat monitoring and intelligence solutions is customized to bolster your organization’s security posture effectively. Through our platform, you can actively monitor and analyze threat actors like Akira, gaining in-depth insights into their strategies, targeted vulnerabilities, associations, and signs of compromise. This proactive methodology empowers you to anticipate and mitigate potential threats efficiently, protecting your critical assets.

In addition, our Attack Surface Management module, featuring the Ransomware Check function, provides continuous monitoring of all potential attack pathways. This ensures that you receive real-time notifications about any suspicious activities linked to ransomware. By staying ahead of these threats, you can promptly respond and strengthen your cybersecurity defenses, reducing the risk posed by Akira ransomware and other emerging threats.

What Are the Latest Akira News?

Akira ransomware has returned to encrypting victims’ files after a phase of focusing solely on extortion without encryption. Cisco Talos researchers, James Nutland and Michael Szeliga, observed this strategic shift, drawing comparisons to the methods used by Karakurt and Cl0p. This move aims to enhance operational efficiency within Akira’s ransomware-as-a-service (RaaS) model.

The group has also resumed using its C++ encryptor for Windows systems, abandoning its brief experimentation with Rust-based encryptors for Linux. Researchers identified the new C++ variant as similar to Akira’s original payload from late 2023, signaling a refinement of its tools rather than a full overhaul.

Akira affiliates have been exploiting vulnerabilities like CVE-2024-40766 to target both Windows and Linux systems. Their ability to adapt, testing different programming frameworks, and targeting high-impact vulnerabilities has secured Akira’s position as a leading ransomware group, especially following law enforcement actions against competitors like LockBit and ALPHV. Microsoft reported that Akira accounted for 17% of ransomware attacks in the past year, reflecting its significant role in the ransomware landscape.

For further information about this latest research refer to Talos’ report.