SUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.
Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.
Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension. Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.
The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
#StopRansomware: Akira Ransomware
(PDF, 586.86 KB
)
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Initial Access
The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured[1 ], mostly using known Cisco vulnerabilities [T1190 ] CVE-2020-3259 and CVE-2023-20269 .[2 ],[3 ],[4 ] Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP) [T1133 ], spear phishing [T1566.001 ][T1566.002 ], and the abuse of valid credentials[T1078 ].[4 ]
Persistence and Discovery
Once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts [T1136.002 ] to establish persistence. In some instances, the FBI identified Akira threat actors creating an administrative account named itadm .
According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting[5 ], to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS) [T1003.001 ]. [6 ] Akira threat actors also use credential scraping tools [T1003 ] like Mimikatz and LaZagne to aid in privilege escalation. Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes [T1016 ] and net Windows commands are used to identify domain controllers [T1018 ] and gather information on domain trust relationships [T1482 ].
See Table 1 for a descriptive listing of these tools.
Defense Evasion
Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity. Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”).
As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver[4 ] and terminate antivirus-related processes [T1562.001 ].
Exfiltration and Impact
Akira threat actors leverage tools such as FileZilla, WinRAR [T1560.001 ], WinSCP, and RClone to exfiltrate data [T1048 ]. To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel, enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega [T1537 ] to connect to exfiltration servers.
Akira threat actors use a double-extortion model [T1657 ] and encrypt systems [T1486 ] after exfiltrating data. The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via a .onion URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting.
Encryption
Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange [T1486 ]. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption. Encrypted files are appended with either a .akira or .powerranges extension. To further inhibit system recovery, Akira’s encryptor (w.exe ) utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems [T1490 ]. Additionally, a ransom note named fn.txt appears in both the root directory (C: ) and each users’ home directory (C:Users ).
Trusted third party analysis identified that the Akira_v2 encryptor is an upgrade from its previous version, which includes additional functionalities due to the language it’s written in (Rust). Previous versions of the encryptor provided options to insert arguments at runtime, including:
-p –encryption_path (targeted file/folder paths)
-s –share_file (targeted network drive path)
-n –encryption_percent (percentage of encryption)
–fork (create a child process for encryption
The ability to insert additional threads allows Akira threat actors to have more granular control over the number of CPU cores in use, increasing the speed and efficiency of the encryption process. The new version also adds a layer of protection, utilizing the Build ID as a run condition to hinder dynamic analysis. The encryptor is unable to execute successfully without the unique Build ID. The ability to deploy against only virtual machines using “vmonly ” and the ability to stop running virtual machines with “stopvm ” functionalities have also been observed implemented for Akira_v2. After encryption, the Linux ESXi variant may include the file extension “akiranew ” or add a ransom note named “akiranew.txt ” in directories where files were encrypted with the new nomenclature.
Leveraged Tools
Table 1 lists publicly available tools and applications Akira threat actors have used, including legitimate tools repurposed for their operations. Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.
Table 1: Tools Leveraged by Akira Ransomware Actors
Name
Description
AdFind
AdFind.exe is used to query and retrieve information from Active Directory.
Advanced IP Scanner
A network scanner is used to locate all the computers on a network and conduct a scan of their ports. The program shows all network devices, gives access to shared folders, and provides remote control of computers (via RDP and Radmin).
AnyDesk
A common software that can be maliciously used by threat actors to obtain remote access and main