Ransomware Spotlight: Akira




Akira

By Trend Micro Research

This report spotlights Akira, a novel ransomware family with highly experienced and skilled operators at its helm.

View infographic of View infographic of "Ransomware Spotlight: Akira"

Akira is swiftly becoming one of the fastest-growing ransomware families thanks to its use of double extortion tactics, a ransomware-as-a-service (RaaS) distribution model, and unique payment options.

Based on a report that analyzed blockchain and source code data, the Akira ransomware group appears to be affiliated with the now-defunct Conti ransomware gang. Conti, one of the most notorious ransomware families in recent history, is believed to be the descendant of yet another prolific ransomware family, the highly targeted Ryuk ransomware.

As ransomware actors evolve their tactics, create more sophisticated ransomware families, and cause financial and reputational harm to businesses, organizations need to work on improving their cybersecurity posture to effectively thwart complex threats. This report spotlights Akira, a novel ransomware family with highly experienced and skilled operators at its helm.

What organizations need to know about Akira

Akira ransomware emerged in March 2023 and has been known to target companies based in the US and Canada.

Its Tor leak site has a unique retro look that, according to a report from Sophos, is reminiscent of “1980s green-screen consoles” that can be navigated by typing specific commands.

Based on its code, it is completely different from the Akira ransomware family that was active in 2017, even though they both append encrypted files with the same .akira extension.

As previously mentioned, Akira operators are associated with Conti ransomware actors, which explains code similarities in both ransomware families. In July, the Arctic Wolf Labs Team reported that Akira shared code similarities with the Conti ransomware. However, they also noted that when Conti’s source code was leaked, different malicious actors used it to create or tweak their own ransomware code, which makes it even more challenging to trace back ransomware families to Conti operators.

Based on our own analysis, Akira appears to be based on the Conti ransomware: It shares similar routines with Conti, such as string obfuscation and file encryption, and avoids the same file extensions that Conti avoids. We believe that Akira operators’ main motivation for targeting organizations is financial in nature.

The Akira RaaS group performs double extortion tactics and steals victims’ critical data prior to encrypting devices and files. Interestingly, according to reports, Akira operators provide victims the option to pay for either file decryption or data deletion; they don’t force victims into paying for both. According to reports, ransom demands for Akira typically range from US$200,000 to over US$4 million.

On Sept. 12, 2023, the U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) released a security bulletin alerting the healthcare industry of Akira attacks.

Recent activities

In June 2023, just three months after Akira was discovered, Akira expanded its list of targeted systems to include Linux machines. Malware analyst rivitna shared on X that Akira ransomware actors used a Linux encryptor and targeted VMware ESXi virtual machines.

Meanwhile, in August, incident responder Aura reported that Akira was targeting Cisco VPN accounts that didn’t have multifactor authentication (MFA).

Cisco released a security advisory on Sept. 6, 2023, stating that Akira ransomware operators exploited CVE-2023-20269, a zero-day vulnerability in two of their products’ remote access VPN feature: the Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Thread Defense (FTD) software.

Cisco reported that malicious actors who exploit CVE-2023-20269 can identify valid credentials that could be abused to establish unauthorized remote access VPN sessions, and for victims running Cisco ASA Software Release 9.16 or earlier, establish a clientless SSL VPN session.

Recently, Sentinel One released a video analyzing an Akira ransomware variant named Megazord that emerged in August 2023. This variant appears to be referencing a Power Rangers formation because it encrypts files with the “POWERRANGES” file extension. The ransom note, which is named “powerranges.txt,” instructs victims to contact the ransomware actor via TOX messenger.

Top affected industries and countries

Because Akira is new and highly targeted, the number of attacks is not as substantial as other more established and widely used ransomware families. Our Trend Micro™ Smart Protection Network™ telemetry points to France as having been most hit by Akira from May 1, 2023, to Aug. 31, 2023, with 53.1% of all detections. The United States and Turkey take the second and third spots, respectively, with 107 and 22 detections.

Figure 1. Countries with the highest number of attack attempts per machine for the Akira ransomware (May 1, 2023, to Aug. 31, 2023)

Figure 1. Countries with the highest number of attack attempts per machine for the Akira ransomware (May 1, 2023, to Aug. 31, 2023)
Source: Trend Micro Smart Protection Network infrastructure


Based on our data, most of Akira’s victims belong to unspecified industries. Based on reports, approximately 80% of Akira’s victims are small to medium-sized businesses (SMBs). The materials, manufacturing, and financial sectors made the top five list in the three-month span.

Figure 2. Industries with the highest number of attack attempts per machine for the Akira ransomware (May 1, 2023, to Aug. 31, 2023)

Figure 2. Industries with the highest number of attack attempts per machine for the Akira ransomware (May 1, 2023, to Aug. 31, 2023)
Source: Trend Micro Smart Protection Network infrastructure


Akira’s monthly detections showed a surge in June 2023 with 508 attack attempts, which is significantly higher than the other months in our analysis period. Our lowest detections were for May 2023, with only three attack attempts for the entire month.

Figure 3. Monthly breakdown of detections per machine for the Akira ransomware (May 1, 2023, to Aug. 31, 2023)

Figure 3. Monthly breakdown of detections per machine for the Akira ransomware (May 1, 2023, to Aug. 31, 2023)
Source: Trend Micro Smart Protection Network infrastructure

Targeted regions and industries
according to Akira's ransomware leak site

We now focus on Akira ransomware operators’ leak site data, which provides details on organizations that have been targeted by Akira actors.

This data, which is a consolidation of Trend Micro’s open-source intelligence (OSINT) research and investigation of the leak site, shows that Akira ransomware actors compromised 107 organizations between April 1 to August 31, 2023. Most of Akira victims — specifically, 85.9% of them — were businesses based in North America.

Figure 4. The distribution by region of Akira ransomware’s victim organizations

Figure 4. The distribution by region of Akira ransomware’s victim organizations
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April 2023 – August 2023)

Figure 5. The 10 countries most targeted by the Akira ransomware group

Figure 5. The 10 countries most targeted by the Akira ransomware group
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April 2023 – August 2023)


We’ve found that most of Akira’s victims were small-sized businesses, with 1 to 200 employees, at 59 victims. Meanwhile, midsized businesses and large enterprises took the second and third slots, respectively. Interestingly, based on leak site data, the most targeted sectors are the academe and professional services, followed closely by construction and materials.

Figure 6. The distribution by organization size of Akira ransomware’s victim organizations

Figure 6. The distribution by organization size of Akira ransomware’s victim organizations
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April 2023 – August 2023)

Figure 7. The 10 industries most targeted by Akira ransomware threat actors

Figure 7. The 10 industries most targeted by Akira ransomware threat actors
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April 2023 – August 2023)

Infection chain and techniques

The Akira ransomware typically gains access to victim environments by using valid credentials that were possibly obtained from their affiliates or other attacks. It has been observed using third-party tools such as PCHunter, AdFind, PowerTool, Terminator, Advanced IP Scanner, Windows Remote Desktop Protocol (RDP), AnyDesk, Radmin, WinRAR, and Cloudflare’s tunneling tool. Figure 8 shows Akira’s infection chain.

Figure 8. The typical Akira ransomware infection chain

Figure 8. The typical Akira ransomware infection chain

Figure 9. The Akira ransomware infection chain based on an infection case we’ve analyzed

Figure 9. The Akira ransomware infection chain based on an infection case we’ve analyzed


Initial Access

Akira ransomware actors are known to use compromised VPN credentials to gain initial access. They’ve also been observed targeting vulnerable Cisco VPNs by exploiting CVE-2023-20269, a zero-day vulnerability that affects Cisco ASA and FTD.


Persistence

Akira operators have been observed creating a new domain account on the compromised system to establish persistence.


Defense evasion

For its defense evasion, Akira ransomware actors have been observed using PowerTool or a KillAV tool that abuses the Zemana AntiMalware driver to terminate AV-related processes.


Discovery

The actors behind the Akira ransomware have been observed using the following to gain knowledge on the victim's system and its connected network:

  • PCHunter and SharpHound to gather system information
  • AdFind alongside the net Windows command and nltest to obtain domain information
  • Advanced IP Scanner and MASSCAN to discover other remote systems

Credential Access

Akira ransomware operators use Mimikatz, LaZagne, or a specific command line to gather credentials.


Lateral Movement

Akira actors use Windows RDP to move laterally within the victim's network.


Command and control

Akira ransomware operators have been observed using the third-party tool and web service RClone to exfiltrate stolen information. Moreover, they have also been observed using either FileZilla or WinSCP to exfiltrate stolen information via File Transfer Protocol (FTP).

  • AnyDesk
  • Radmin
  • Cloudflare Tunnel
  • MobaXterm
  • RustDesk
  • Ngrok

Exfiltration

Akira ransomware operators have been observed using the third-party tool and web service RClone to exfiltrate stolen information. Moreover, they have also been observed using either FileZilla or WinSCP to exfiltrate stolen information via File Transfer Protocol (FTP).


Impact

Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA. Additionally, the Akira ransomware binary, like most modern ransomware binaries, has a feature that allows it to inhibit system recovery by deleting shadow copies from the affected system.


Other technical details

  • It avoids encrypting the following directories:
    • winnt
    • tmp
    • temp
    • thumb
    • $Recycle.Bin
    • $RECYCLE.BIN
    • System Volume Information
    • Boot
    • Windows
    • Trend Micro
    • ProgramData
  • It avoids encrypting files with the following extensions:
    • .exe
    • .dll
    • .lnk
    • .sys
    • .msi
    • .akira
  • It encrypts the whole file, regardless of size, if the file extension is any of the following:
    • .4dd
    • .4dl
    • .accdb
    • .accdc
    • .accde
    • .accdr
    • .accdt
    • .accft
    • .adb
    • .ade
    • .adf
    • .adp
    • .arc
    • .ora
    • .alf
    • .ask
    • .btr
    • .bdf
    • .cat
    • .cdb
    • .ckp
    • .cma
    • .cpd
    • .dacpac
    • .dad
    • .dadiagrams
    • .daschema
    • .db
    • .db-shm
    • .db-wal
    • .db3
    • .dbc
    • .dbf
    • .dbs
    • .dbt
    • .dbv
    • .dbx
    • .dcb
    • .dct
    • .dcx
    • ddl
    • .dlis
    • .dp1
    • .dqy
    • .dsk
    • .dsn
    • .dtsx
    • .dxl
    • .eco
    • .ecx
    • .edb
    • .epim
    • .exb
    • .fcd
    • .fdb
    • .fic
    • .fmp
    • .fmp12
    • .fmpsl
    • .fol
    • .fol
    • .fp4
    • .fp5
    • .fp7
    • .fpt
    • .frm
    • .gdb
    • .grdb
    • .gwi
    • .hdb
    • .his
    • .ib
    • .idb
    • .ihx
    • .itdb
    • .itw
    • .jet
    • .jtx
    • .kdb
    • .kexi
    • .kexic
    • .kexis
    • .lgc
    • .lwx
    • .maf
    • .maq
    • .mar
    • .mas
    • .mav
    • .mdb
    • .mdf
    • .mpd
    • .mrg
    • .mud
    • .mwb
    • .myd
    • .ndf
    • .nnt
    • .nrmlib
    • .ns2
    • .ns3
    • .ns4
    • .nsf
    • .nv
    • .nv2
    • .nwdb
    • .nyf
    • .odb
    • .oqy
    • .orx
    • .owc
    • .p96
    • .p97
    • .pan
    • .pdb
    • .pdm
    • .pnz
    • .qry
    • .qvd
    • .rbf
    • .rctd
    • .rod
    • .rodx
    • .rpd
    • .rsd
    • .sas7bdat
    • .sbf
    • .scx
    • .sdb
    • .sdc
    • .sdf
    • .sis
    • .spq
    • .sql
    • .sqlite
    • .sqlite3
    • .sqlitedb
    • .te
    • .temx
    • .tmd
    • .tps
    • .trc
    • .trm
    • .udb
    • .udl
    • .usr
    • .v12
    • .vis
    • .vpd
    • .vvv
    • .wdb
    • .wmdb
    • .wrk
    • .xdb
    • .xld
    • .xmlff
    • .abcddb
    • .abs
    • .abx
    • .accdw
    • .adn
    • .db2
    • .fm5
    • .hjt
    • .icg
    • .icr
    • kdb
    • .lut
    • .maw
    • .mdn
    • .mdt
  • It avoids encrypting files with the following extensions:
    • .PLAY
    • .exe
    • .msi
    • .dll
    • .lnk
    • .sys
  • It drops a ransom note:

    akira_readme.txt

  • It encrypts files using Chacha20 and encrypts the key using RSA encryption.
    • Key generation:
      • A ChaCha20 key and nonce are generated using CryptGenRandom
    • Key encryption:
      • It uses the embedded RSA public key to encrypt the generated Chacha20 key
    • File encryption
      • Files are encrypted using ChaCha20 encryption.
      • The Akira ransomware supports three encryption modes depending on the file type and size:
        • Full encryption
        • Partial encryption
        • Spot encryption
  • It appends this extension to encrypted files:
    • .akira
  • Hacktools
    • PowerTool
    • ADFind

MITRE tactics and techniques

Initial AccessPersistenceExecutionDefense EvasionCredential AccessDiscoveryCommand and ControlLateral MovementExfiltrationImpact

T1078 - Valid Accounts
Uses compromised VPN credentialsl

T1190 - Exploit Public-Facing Application
Targets vulnerable Cisco devices via CVE-2023-20269

T1136.002 - Create Account: Domain Account
Once initial access is established, Akira operators will create a domain account on the compromised system

T1059 - Command and Scripting Interpreters
Accepts parameters for its routines such as “-n 10” (for encryption percent) or “-s {filename}” (for shared folder encryption)

T1562.001 - Impair Defenses: Disable or Modify Tools
It has been observed to use PowerTool or a KillAV tool that abuses Zemana AntiMalware driver to terminate AV-related processes

T1003.001 - OS Credential Dumping: LSASS Memory
Uses Mimikatz, LaZagne, or a command line to dump LSASS from memory

T1082 - System Information Discovery
Uses PCHunter and SharpHound to gather system information

T1069.002 - Permission Groups Discovery: Domain Groups
Uses AdFind, net Windows command, and nltest to gather domain information

T1018 - Remote System Discovery
Uses Advanced IP Scanner and MASSCAN to discover remote systems

T1219 - Remote Access Software
May use either AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk, or Ngrok to gain remote access on targeted systems

T1570 - Lateral Tool Transfer
Uses RDP to move laterally within the victim’s network

T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
Uses RClone to exfiltrate stolen information over web service

T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Uses FileZilla or WinSCP to exfiltrate stolen information via FTP

T1490 - Inhibit System Recovery
Deletes shadow copies to inhibit recovery

T1486 - Data Encrypted for Impact
Akira ransomware is used to encrypt files

Summary of malware, tools, and exploits used

Initial AccessDefense EvasionDiscoveryCredential AccessCommand and ControlLateral MovementExfiltration
  • VPN via compromised accounts
  • PowerTool
  • AdFind
  • Mimikatz
  • AnyDesk
  • RDP
  • WinSCP
  • CVE-2023-20269
  • KillAV (Terminator from GitHub)
  • PCHunter
  • LaZagne
  • Radmin
    • Rclone
      • Advanced IP Scanner
      • LSASS dump
      • Cloudflare Tunnel
        • FileZilla
            • SharpHound
              • MobaXterm
                      • MASSCAN
                        • RustDesk
                                    • ngrok

                                      Security recommendations

                                      <

                                      As experienced ransomware actors develop increasingly sophisticated ransomware families, organizations need to proactively protect themselves from evolving threats. As ransomware threats evolve and exploit vulnerabilities to target businesses around the world, organizations need to improve their security posture to avoid financial and reputational harm.

                                      Here are some security best practices that can help organizations protect their mission-critical data from ransomware attacks:


                                      Audit and inventory

                                      • Take an inventory of assets and data.
                                      • Identify authorized and unauthorized devices and software.
                                      • Make an audit of event and incident logs.

                                      Configure and monitor

                                      • Manage hardware and software configurations.
                                      • Grant admin privileges and access only when necessary to an employee’s role.
                                      • Monitor network ports, protocols, and services.
                                      • Activate security configurations on network infrastructure devices such as firewalls and routers.
                                      • Establish a software allowlist that executes only legitimate applications.

                                      Patch and update

                                      • Conduct regular vulnerability assessments.
                                      • Perform patching or virtual patching for operating systems and applications.
                                      • Update software and applications to their latest versions.

                                      Protect and recover

                                      • Implement data protection, backup, and recovery measures.
                                      • Enable multifactor authentication (MFA).

                                      Secure and defend

                                      • Employ sandbox analysis to block malicious emails.
                                      • Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network.
                                      • Detect early signs of an attack such as the presence of suspicious tools in the system.
                                      • Use advanced detection technologies such as those powered by artificial intelligence (AI) and machine learning.

                                      Train and test

                                      • Regularly train and assess employees in security skills.
                                      • Conduct red-team exercises and penetration tests.

                                      A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.

                                      • Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools early on before the ransomware can do irreversible damage to the system.
                                      • Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
                                      • Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
                                      • Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.

                                      Indicators of compromise (IOCs)

                                      The IOCs for this article can be found here. Actual indicators might vary per attack.

                                      Trend Micro Vision One Hunting Query

                                      Trend Vision One customers can use the following hunting query to check if their network/system is possibly affected by Akira ransomware:

                                      fullPath:(*.akira* OR *akira_readme.txt*)
                                      HIDE

                                      Like it? Add this infographic to your site:
                                      1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

                                      Image will appear the same size as you see above.