Malware Type: Ransomware
Small and medium-sized businesses worldwide are currently under active targeting by the newly discovered Akira ransomware.
The primary focus of these attacks reportedly lies on the United States and Canada. Since its discovery in March 2023, Akira has already compromised at least 63 victims. Interestingly, Akira is offered as a ransomware-as-a-service.
Preliminary research suggests a connection between the Akira group and threat actors associated with the notorious ransomware operation Conti.
Modus Operandi:
The group gains access to victim environments through VPN services, particularly targeting users who have not enabled multi-factor authentication.
The group follows a pattern where they first steal information from victims then, they proceed to encrypt the data on their systems and employ a double extortion tactic to compel the victims to pay the ransom.
If the victim refuses to pay, the group releases the victim's data on their dark web blog.
They have also been observed using tools like AnyDesk, WinRAR, and PCHunter during their intrusions. These tools are often present in the victim's environment, and their misuse generally goes undetected.
Akira ransomware targets both Windows and Linux-based systems.
Infection Mechanism
The attack process begins when a sample of the Akira ransomware is executed. Upon execution, Akira deletes the Windows Shadow Volume Copies on the targeted device.
The ransomware then encrypts files with a predefined set of extensions. A '.akira' extension is appended to each encrypted file's name during this encryption process.
In the encryption phase, the ransomware terminates active Windows services using the Windows Restart Manager API.
This step prevents any interference with the encryption process. It encrypts files found in various hard drive folders, excluding the ProgramData, Recycle Bin, Boot, System Volume Information, and Windows folders. To maintain system stability, it refrains from modifying Windows system files, which include files with extensions like .sys, .msi, .dll, .lnk, and .exe.
Attack Mapping: [MITRE ATT&CK Techniques]
- T1078 - Valid Accounts
- T1133 – External Remote Service
- T1059.001- PowerShell
- T1003.001 - OS Credential Dumping: LSASS Dumping
- T1112 - Modify Registry
- T1083 - File and Directory Discovery
- T1486 Data Encrypted for Impact
- T1490 Inhibit System Recovery
Data Leak site on Dark Web:
https[://]akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad[.]onion
Indicators of Compromise:
HASHES
431d61e95586c03461552d134ca54d16
af95fbcf9da33352655f3c2bab3397e2
c7ae7f5becb7cf94aa107ddc1caf4b03
d25890a2e967a17ff3dad8a70bfdd832
e44eb48c7f72ffac5af3c7a37bf80587
1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296
302f76897e4e5c8c98a52a38c4c98443
9180ea8ba0cdfe0a769089977ed8396a68761b40
Recommendations:
- Periodic Backups and restoration tests to check the restoration integrity.
- Establish Domain-based Message Authentication, Reporting, and Conformance (DMARC), Domain Keys Identified Mail (DKIM) and Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
- Enforce strong password policies and multi-factor authentication (MFA).
- Avoid applying updates/patches available in any unofficial channel.
- Implement a strict External Device (USB drive) usage policy.
- Employ data-at-rest and data-in-transit encryption.
- Consider installing the Enhanced Mitigation Experience Toolkit or similar host-level anti-exploitation tools.
- Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
- Conduct vulnerability Assessment and Penetration Testing (VAPT) and information security audits of critical networks/systems, especially database servers, from CERT-IN empanelled auditors. Repeat audits at regular intervals.