.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On April 18, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Akira ransomware [1]. Akira ransomware is a relatively new ransomware group and yet they have several variants that are capable of encrypting Windows, Linux and VMware ESXi virtual machines. Akira also operates as a Ransomware-as-a-Service group and has impacted hundreds of organizations collecting over 42 million USD in ransom payments within a single year.
In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Akira ransomware and how organizations can defend themselves against Akira ransomware attacks.
Akira Ransomware
Akira ransomware started its operations in March 2023 and has been actively targeting various businesses and critical infrastructure organizations in the United States, Canada, Australia, France, Germany, Italy, Spain, and other European countries. So far, they have compromised more than 250 organizations and continue to threaten many others with their Ransomware-as-a-Service operations. Akira has different ransomware variants named Akira, Megazord, and Akira_v2, and these variants are capable of encrypting Windows, Linux, and VMware ESXi systems.
Akira threat actors exploit known Cisco vulnerabilities like CVE-2020-3259 and CVE-2023-20269 to gain initial access to target networks. They also use phishing campaigns and compromised credentials against external-facing services such as Remote Desktop Protocol (RDP) for initial access. After establishing an initial foothold, adversaries create administrative accounts for persistent access and leverage credential dumping tools and techniques for privilege escalation and lateral movement. As a final impact, Akira threat actors exfiltrate sensitive data, delete volume shadow copies, and encrypt the files and directories in the infected systems.
In this blog, we explained TTPs used by the Akira ransomware group. If you are interested on how Akira ransomware exploits Cisco ASA zero-day vulnerability, please visit our previous blog post on "CVE-2023-20269: Akira Ransomware Exploits Cisco ASA Vulnerability".
Akira Ransomware Analysis and MITRE ATT&CK TTPs
Initial Access
T1078 Valid Accounts & T1133 External Remote Services
Akira threat actors obtain these credentials through brute force attacks or Initial Access Brokers (IABs). After acquiring credentials to valid accounts, adversaries use Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services to gain initial and persistent access to the target network.
T1190 Exploit Public Facing Applications
Adversaries exploit known Cisco vulnerabilities to gain access to target organizations. Although CVE-2023-20269 (CVSS Score: 9.1 Critical) and CVE-2020-3259 (CVSS Score: 7.5 High) are known vulnerabilities, Akira threat actors were able to gain initial access through unpatched Cisco ASA appliances.
T1566 Phishing
Akira operators use phishing emails with malicious links and attachments to gain initial access to target systems. Adversaries craft benign-looking emails to trick unsuspecting users into infecting their systems.
Execution
T1047 Windows Management Instrumentation
Akira ransomware deletes volume shadow copies via Windows Management Instrumentation (WMI). This malicious action prevents victims from recovering their encrypted files using shadow copies.
|
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" |
T1059.001 Command and Scripting Interpreter: PowerShell
Adversaries use open-source Veeam-Get-Creds PowerShell scripts to obtain and decrypt accounts from Veeam servers. Akira operators also use Powershell Kerberos TicketDumper PowerShell script to dump Kerberos tickets from the LSA cache.
T1059.003 Command and Scripting Interpreter: Windows Command Shell
Akira threat actors use the following shell commands for discovery after initial access.
|
//T1018 Remote System Discovery nltest /dclist:<domain_name> //T1057 Process Discovery tasklist //T1069 Permission Groups Discovery net group “Domain admins” /domain net localgroup “Administrators” /domain //T1482 Domain Trust Discovery nltest /domain_trusts |
Persistence
T1136.002 Create Account: Domain Account
Adversaries create new domain accounts to establish persistent access to compromised systems. In some cases, Akira operators were identified, creating an administrative account named itadm.
Defense Evasion
T1562.001 Impair Defenses: Disable or Modify Tools
Akira threat actors abuse the Zemana AntiMalware drive via PowerTool to disable antivirus software. This technique is also called Bring Your Own Vulnerable Driver (BYOVD).
Credential Access
T1003 OS Credential Dumping
Akira operators use popular credential dumping tools like Mimikatz and LaZagne to extract credentials stored in the LSASS memory. Adversaries use the following command to dump LSASS memory.
|
rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\Windows\temp\lsass.dmp full |
T1555.003 Credentials from Password Stores: Credentials from Web Browsers
Adversaries use the following commands to dump credentials stored in browsers used in the compromised systems. This malicious action uses the Living-off-the-Land techniques by abusing the “esentutl.exe” to copy locked files like credential stores.
|
//Dumping credentials from Google Chrome esentutl.exe /y “[Path_to_Chrome_Cred_Stores]\Login Data" /d "[Path_to_Chrome_Cred_Stores]\Login Data.tmp” //Dumping credentials from Mozilla Firefox esentutl.exe /y “[Path_to_Firefox_Cred_Stores]\key4.db" /d “[Path_to_Firefox_Cred_Stores]\key4.db.tmp” |
Collection
T1560 Archive Collected Data
Prior to exfiltration for double extortion, Akira threat actors split the victims' sensitive data into segments and compress them using WinRAR.
Command and Control (C2)
T1090 Proxy
Adversaries use ngrok to create a secure tunnel to servers used for data exfiltration.
T1219 Remote Access Software
Akira operators use remote desktop software like AnyDesk, Cloudflare Tunnel, MobaXterm, Ngrok, and RustDesk to access compromised systems remotely.
Exfiltration
T1048 Exfiltration Over Alternative Protocol & T1537 Transfer Data to Cloud Account
Akira threat actors use legitimate tools like FileZilla, WinSCP, and rclone to exfiltrate data through various protocols such as FTP, SFTP, and cloud services.
Impact
T1486 Data Encrypted for Impact
Akira operators use various ransomware payloads to encrypt files in the compromised system. These payloads use a hybrid encryption that combines ChaCha20 stream cipher with an RSA public-key cryptosystem. Depending on the encryptor, the encrypted files are appended to with .akira, .powerranges, or .akiranew extensions.
T1490 Inhibit System Recovery
Adversaries use the following commands to delete volume shadow copies and prevent their victims from recovering their encrypted files.
|
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" |
How Picus Helps Simulate Akira Ransomware Attacks?
We also strongly suggest simulating Akira ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Phobos, ALPHV, and Play, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Akira ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
84668 |
Akira Ransomware Download Threat |
Network Infiltration |
|
55812 |
Akira Ransomware Email Threat |
Email Infiltration (Phishing) |
|
37780 |
Megazord Ransomware Download Threat |
Network Infiltration |
|
92400 |
Megazord Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Akira ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Akira ransomware:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
0D0FC5542 |
Ransomware.Win32.Akira.TC.a77avEjG |
|
Check Point NGFW |
0CEDE557A |
Ransomware.Win32.Akira.TC.eec5NsKn |
|
Check Point NGFW |
0CFD4BD86 |
Ransomware.Win32.Akira.TC.a5f8yZDg |
|
Check Point NGFW |
0E0BEF9A4 |
Ransomware.Win32.Akira.TC.0e05wZMS |
|
Check Point NGFW |
0A2E01186 |
Ransomware.Win32.Akira.TC.ea38rili |
|
Check Point NGFW |
0C5DE6DD1 |
Ransomware.Win32.Akira.TC.4b33iwYh |
|
Cisco FirePower |
|
W32.Auto:3c92bf.in03.Talos |
|
Cisco FirePower |
|
W32.Auto:7b295a.in03.Talos |
|
Cisco FirePower |
|
W32.Auto:1b6af2.in03.Talos |
|
Cisco FirePower |
|
W32.Auto:678ec8.in03.Talos |
|
Forcepoint NGFW |
|
File_Malware-Blocked |
|
Fortigate AV |
10143171 |
Linux/Filecoder_Akira.A!tr |
|
Fortigate AV |
10133803 |
W64/Generik.NFLQ!tr.ransom |
|
Trellix |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto |
588177441 |
Ransom/Win32.akira.b |
|
Palo Alto |
595008162 |
ransomware/Linux.akira.d |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Complete Security Validation Platform.
References
[1] “#StopRansomware: Akira Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a. [Accessed: Apr. 20, 2024]
