- Security News
- Ransomware Spotlight
- Ransomware Spotlight: Akira
Because Akira is new and highly targeted, the number of attacks is not as substantial as other more established and widely used ransomware families. Our Trend Micro™ Smart Protection Network™ telemetry points to France as having been most hit by Akira from May 1, 2023, to Aug. 31, 2023, with 53.1% of all detections. The United States and Turkey take the second and third spots, respectively, with 107 and 22 detections.
Based on our data, most of Akira’s victims belong to unspecified industries. Based on reports, approximately 80% of Akira’s victims are small to medium-sized businesses (SMBs). The materials, manufacturing, and financial sectors made the top five list in the three-month span.
Akira’s monthly detections showed a surge in June 2023 with 508 attack attempts, which is significantly higher than the other months in our analysis period. Our lowest detections were for May 2023, with only three attack attempts for the entire month.
We now focus on Akira ransomware operators’ leak site data, which provides details on organizations that have been targeted by Akira actors.
This data, which is a consolidation of Trend Micro’s open-source intelligence (OSINT) research and investigation of the leak site, shows that Akira ransomware actors compromised 107 organizations between April 1 to August 31, 2023. Most of Akira victims — specifically, 85.9% of them — were businesses based in North America.
Figure 4. The distribution by region of Akira ransomware’s victim organizations
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April 2023 – August 2023)
We’ve found that most of Akira’s victims were small-sized businesses, with 1 to 200 employees, at 59 victims. Meanwhile, midsized businesses and large enterprises took the second and third slots, respectively. Interestingly, based on leak site data, the most targeted sectors are the academe and professional services, followed closely by construction and materials.
Figure 6. The distribution by organization size of Akira ransomware’s victim organizations
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April 2023 – August 2023)
The Akira ransomware typically gains access to victim environments by using valid credentials that were possibly obtained from their affiliates or other attacks. It has been observed using third-party tools such as PCHunter, AdFind, PowerTool, Terminator, Advanced IP Scanner, Windows Remote Desktop Protocol (RDP), AnyDesk, Radmin, WinRAR, and Cloudflare’s tunneling tool. Figure 8 shows Akira’s infection chain.
Figure 8. The typical Akira ransomware infection chain
Figure 9. The Akira ransomware infection chain based on an infection case we’ve analyzed
Akira ransomware actors are known to use compromised VPN credentials to gain initial access. They’ve also been observed targeting vulnerable Cisco VPNs by exploiting CVE-2023-20269, a zero-day vulnerability that affects Cisco ASA and FTD.
Akira operators have been observed creating a new domain account on the compromised system to establish persistence.
For its defense evasion, Akira ransomware actors have been observed using PowerTool or a KillAV tool that abuses the Zemana AntiMalware driver to terminate AV-related processes.
The actors behind the Akira ransomware have been observed using the following to gain knowledge on the victim's system and its connected network:
Akira ransomware operators use Mimikatz, LaZagne, or a specific command line to gather credentials.
Akira actors use Windows RDP to move laterally within the victim's network.
Akira ransomware operators have been observed using the third-party tool and web service RClone to exfiltrate stolen information. Moreover, they have also been observed using either FileZilla or WinSCP to exfiltrate stolen information via File Transfer Protocol (FTP).
Akira ransomware operators have been observed using the third-party tool and web service RClone to exfiltrate stolen information. Moreover, they have also been observed using either FileZilla or WinSCP to exfiltrate stolen information via File Transfer Protocol (FTP).
Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA. Additionally, the Akira ransomware binary, like most modern ransomware binaries, has a feature that allows it to inhibit system recovery by deleting shadow copies from the affected system.
akira_readme.txt
Initial Access | Persistence | Execution | Defense Evasion | Credential Access | Discovery | Command and Control | Lateral Movement | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|
T1078 - Valid Accounts T1190 - Exploit Public-Facing Application | T1136.002 - Create Account: Domain Account | T1059 - Command and Scripting Interpreters | T1562.001 - Impair Defenses: Disable or Modify Tools | T1003.001 - OS Credential Dumping: LSASS Memory | T1082 - System Information Discovery T1069.002 - Permission Groups Discovery: Domain Groups T1018 - Remote System Discovery | T1219 - Remote Access Software | T1570 - Lateral Tool Transfer | T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol | T1490 - Inhibit System Recovery T1486 - Data Encrypted for Impact |
Initial Access | Defense Evasion | Discovery | Credential Access | Command and Control | Lateral Movement | Exfiltration |
---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
| |||
|
| |||||
|
| |||||
|
As experienced ransomware actors develop increasingly sophisticated ransomware families, organizations need to proactively protect themselves from evolving threats. As ransomware threats evolve and exploit vulnerabilities to target businesses around the world, organizations need to improve their security posture to avoid financial and reputational harm.
Here are some security best practices that can help organizations protect their mission-critical data from ransomware attacks:
A multilayered approach can help organizations guard possible entry points into the system (endpoint, email, web, and network). Security solutions that can detect malicious components and suspicious behavior can also help protect enterprises.
The IOCs for this article can be found here. Actual indicators might vary per attack.
Trend Vision One customers can use the following hunting query to check if their network/system is possibly affected by Akira ransomware:
fullPath:(*.akira* OR *akira_readme.txt*)
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.