Dark Web Profile: Akira Ransomware – SOCRadar® Cyber Intelligence Inc.

MITRE Techniques

• [T1078] Valid Accounts – Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access. “Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.”
• [T1190] Exploit Public Facing Application – Akira threat actors exploit vulnerabilities in internet-facing systems to gain access to systems. “Akira threat actors exploit vulnerabilities in internet-facing systems to gain access to systems.”
• [T1133] External Remote Services – Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access. “Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.”
• [T1566.001] Phishing: Spearphishing Attachment – Akira threat actors use phishing emails with malicious attachments to gain access to networks. “Akira threat actors use phishing emails with malicious attachments to gain access to networks.”
• [T1566.002] Phishing: Spearphishing Link – Akira threat actors use phishing emails with malicious links to gain access to networks. “Akira threat actors use phishing emails with malicious links to gain access to networks.”
• [T1003] OS Credential Dumping – Akira threat actors use tools like Mimikatz and LaZagne to dump credentials. “Akira threat actors use tools like Mimikatz and LaZagne to dump credentials.”
• [T1003.001] LSASS Memory – Akira threat actors attempt to access credential material stored in the process memory of the LSASS. “Akira threat actors attempt to access credential material stored in the process memory of the LSASS.”
• [T1016] System Network Configuration Discovery – Akira threat actors use tools to scan systems and identify services running on remote hosts and local network infrastructure. “Akira threat actors use tools to scan systems and identify services running on remote hosts and local network infrastructure.”
• [T1082] System Information Discovery – Akira threat actors use tools like PCHunter64 to acquire detailed process and system information. “Akira threat actors use tools like PCHunter64 to acquire detailed process and system information.”
• [T1482] Domain Trust Discovery – Akira threat actors use the net Windows command to enumerate domain information. “Akira threat actors use the net Windows command to enumerate domain information.”
• [T1057] Process Discovery – Akira threat actors use the Tasklist utility to obtain details on running processes via PowerShell. “Akira threat actors use the Tasklist utility to obtain details on running processes via PowerShell.”
• [T1069.001] Local Groups – Akira threat actors use the net localgroup /dom to find local system groups and permission settings. “Akira threat actors use the net localgroup /dom to find local system groups and permission settings.”
• [T1069.002] Domain Groups – Akira threat actors use the net group /domain command to attempt to find domain level groups and permission settings. “Akira threat actors use the net group /domain command to attempt to find domain level groups and permission settings.”
• [T1018] Remote System Discovery – Akira threat actors use nltest / dclist to amass a listing of other systems by IP address, hostname, or other logical identifiers on a network. “Akira threat actors use nltest / dclist to amass a listing of other systems by IP address, hostname, or other logical identifiers on a network.”
• [T1136.002] Create Account: Domain Account – Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence. “Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence.”
• [T1562.001] Impair Defenses: Disable or Modify Tools – Akira threat actors use BYOVD attacks to disable antivirus software. “BYOVD attacks to disable antivirus software.”
• [T1219] Remote Access Software – Akira threat actors use legitimate desktop support software like AnyDesk to obtain remote access to victim systems. “Akira threat actors use legitimate desktop support software like AnyDesk to obtain remote access to victim systems.”
• [T1090] Proxy – Akira threat actors utilized Ngrok to create a secure tunnel to servers that aided in exfiltration of data. “Akira threat actors utilized Ngrok to create a secure tunnel to servers that aided in exfiltration of data.”
• [T1560.001] Archive Collected Data: Archive via Utility – Akira threat actors use tools like WinRAR to compress files. “Akira threat actors use tools like WinRAR to compress files.”
• [T1048] Exfiltration Over Alternative Protocol – Akira threat actors use file transfer tools like WinSCP to transfer data. “Akira threat actors use file transfer tools like WinSCP to transfer data.”
• [T1537] Transfer Data to Cloud Account – Akira threat actors use tools like CloudZilla to exfiltrate data to a cloud account and connect to exfil servers they control. “Akira threat actors use tools like CloudZilla to exfiltrate data to a cloud account and connect to exfil servers they control.”
• [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Akira threat actors leveraged RClone to sync files with cloud storage services to exfiltrate data. “Akira threat actors leveraged RClone to sync files with cloud storage services to exfiltrate data.”
• [T1486] Data Encrypted for Impact – Akira threat actors encrypt data on target systems to interrupt availability to system and network resources. “Akira threat actors encrypt data on target systems to interrupt availability to system and network resources.”
• [T1490] Inhibit System Recovery – Akira threat actors delete volume shadow copies on Windows systems. “Akira threat actors delete volume shadow copies on Windows systems.”
• [T1657] Financial Theft – Akira threat actors use a double-extortion model for financial gain. “Akira threat actors use a double-extortion model for financial gain.”