CyberCX DFIR describes Akira ransomware leveraging Hyper-V to deploy on new, unmonitored VMs to bypass EDR, causing widespread damage to attached VMs. The piece also covers attacker methods from initial access to post-exploitation, defense evasion with BYOVD tools like Terminator, hypervisor-focused logging artifacts, encryption mechanics and decryptor developments, and recovery considerations. #AkiraRansomware #Terminator #Spyboy #Zemana #HyperV #ESXi #vSphere #ChaCha20 #Avast #Megazord
Keypoints
- Akira ransomware uses a novel hypervisor-level approach by creating unmonitored VMs on Windows Hyper-V to run the ransomware, evading on-host EDR.
- Initial access historically involved VPN with MFA at the initial access point and credential theft via info stealers and marketplaces.
- Post-intrusion activity includes network scanning with netscan.exe, AD data enumeration with AdFind.exe, data exfiltration via FileZilla over SFTP, and persistence through SystemBC with a scheduled task.
- Threat actors attempt to disable EDR using a signed kernel driver (BYOVD) and tools like Terminator to evade detection.
- Hypervisor-layer activity and logging (Hyper-V and VMware ESXi) are used to manage and monitor attacker VM operations, with specific event logs and files highlighted for forensics.
MITRE Techniques
- [T1133] External Remote Services – Brief description: Akira leveraged VPN access with MFA on the initial access point. Quote: ‘leveraged VPN access multi-factor authentication (MFA) applied on the initial access point.’
- [T1218] Signed Binary Proxy Execution – Brief description: Privileged operations performed via a signed kernel driver sourced from Zemana Anti-Malware. Quote: ‘a signed kernel driver file taken from the Zemana Anti-Malware program to perform privileged operations.’
- [T1562.001] Impair Defenses – Brief description: BYOVD and tools like Terminator used to disable or evade EDR; quote references to BYOVD and attempting to disable EDR.
- [T1033] Account Discovery – Brief description: Enumeration of data in Active Directory via AdFind.exe. Quote: ‘Enumeration of data available in the Active Directory through AdFind (AdFind.exe)’.
- [T1046] Network Service Discovery – Brief description: Scanning the network with SoftPerfect Network Scanner (netscan.exe). Quote: ‘Scanning the network using SoftPerfect Network Scanner (netscan.exe)’.
- [T1041] Exfiltration Over SSH – Brief description: Data exfiltration via SFTP using FileZilla. Quote: ‘uploading it over SFTP using FileZilla’.
- [T1486] Data Encrypted for Impact – Brief description: Ransomware encryption with partial encryption techniques and discussion of decryptor possibilities; quote: ‘partial encryption… decrypt data under certain circumstances’.
Indicators of Compromise
- [File] Discovery and persistence tools – netscan.exe, AdFind.exe, SystemBC, FileZilla, Terminator (BYOVD).
- [Hash] Akira Megazord variant – c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0 (VirusTotal, and notes of newer samples lacking vulnerability). 2 more hashes may exist.
- [VM] MySecretVM.vmx – example VM configuration file path created on ESXi environment.
- [Log/Event] Hyper-V VM creation events – Example: VM creation and state transitions (e.g., 18304, 13002) from Hyper-V logs.
- [User] EvilUser – sample log line showing user field during VM creation.
Read more: https://cybercx.co.nz/blog/akira-ransomware/