Cybersecurity Snapshots - Akira Ransomware
By aekwall
Akira ransomware first emerged in March 2023 and has been known to target companies based in the US, Canada, and Europe. According to CISA, the FBI, Europol, and the Netherlands' National Cyber Security Centre (NCSC-NL), since early 2023, Akira ransomware has claimed over 250 victims worldwide and received over $42 million in ransom payments. Security researchers at Trend Micro noted that most of Akira's victims were small-sized businesses, with 1 to 200 employees. Based on leak site data, Trend Micro said that the most targeted sectors are the academe and professional services, followed closely by construction and materials.
Trend Micro says that Akira ransomware typically gains access to victim environments by using valid credentials possibly obtained from their affiliates or other attacks. It has been observed using third-party tools such as PCHunter, AdFind, PowerTool, Terminator, Advanced IP Scanner, Windows Remote Desktop Protocol (RDP), AnyDesk, Radmin, WinRAR, and Cloudflare's tunneling tool. Akira targets mostly Windows systems. It is known that the most common way Akira gains initial access is through VPN credentials. They've also been observed targeting vulnerable Cisco VPNs by exploiting CVE-2023-20269, a zero-day vulnerability that affects Cisco ASA and FTD. Akira has also been seen infecting VMware ESXi virtual machines.
To establish persistence, Akira operators have been observed creating a new domain account on the compromised system. For its defense evasion, the threat actors have been observed using PowerTool or a KillAV tool that abuses the Zemana AntiMalware driver to terminate AV-related processes. Trend Micro noted that to gain knowledge on the victim's system and its connected network, Akira uses PCHunter and SharpHound to gather system information, AdFind alongside the net Windows command and nltest to obtain domain information, and Advanced IP Scanner and MASSCAN to discover other remote systems. Trend Micro notes that Akira ransomware encrypts targeted systems using a hybrid encryption algorithm that combines Chacha20 and RSA. Additionally, the Akira ransomware binary, like most modern ransomware binaries, has a feature that allows it to inhibit system recovery by deleting shadow copies from the affected system.
Security researchers expect the Akira ransomware gang's list of victims to continue to increase in 2024. So, organizations should be on the lookout for Indicators of Compromise (IOCs). Trend Micro noted that as ransomware threats evolve and exploit vulnerabilities to target businesses around the world, organizations need to improve their security posture to avoid financial and reputational harm.
To see previous articles, please visit the Cybersecurity Snapshots Archive.