Pierluigi Paganini
April 21, 2024
A joint advisory published by CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL) revealed that since early 2023, Akira ransomware operators received $42 million in ransom payments from more than 250 victims worldwide.
The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
The Akira ransomware operators implement a double extortion model by exfiltrating victims’ data before encrypting it.
Earlier versions of the ransomware were written in C++ and the malware added the .akira extension to the encrypted files. However, from August 2023 onwards, certain Akira attacks began utilizing Megazord, which employs Rust-based code and encrypts files with a .powerranges extension. Akira threat actors have persisted in employing both Megazord and Akira, including Akira_v2, identified by independent investigations, interchangeably.
The cybersecurity researchers observed threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured. The attackers mostly used Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269.
Akira operators were also observed using external-facing services such as Remote Desktop Protocol (RDP), spear phishing, and the abuse of valid credentials.
Following initial access, threat actors were observed exploiting domain controller’ functions by generating new domain accounts to establish persistence. In some attacks, threat actors created an administrative account named itadm.
“According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting, to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Akira threat actors also use credential scraping tools like Mimikatz and LaZagne to aid in privilege escalation.” reads the report. “Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes and net Windows commands are used to identify domain controllers and gather information on domain trust relationships.“
Akira operators have been observed deploying two distinct ransomware variants against different system architectures within the same attack. It was this first time that the operators adopted this tactic.
The operators frequently disable security software to evade detection and for lateral movement. The government experts observed the use of PowerTool by Akira threat actors to exploit the Zemana AntiMalware driver and terminate antivirus-related processes.
Threat actors use FileZilla, WinRAR, WinSCP, and RClone for data exfiltration. The attackers use AnyDesk, Cloudflare Tunnel, RustDesk, Ngrok, and Cloudflare Tunnel to communicate with the command-and-control (C&C).
“Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption.” concludes the advisory that includes indicators of compromise (IoCs).”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Akira ransomware)
