Akira is a ransomware strain operating under a Ransomware-as-a-Service (RaaS) model, enabling various adversaries to deploy it since its emergence in March 2023. Despite sharing the name with an earlier strain from 2017, it is unrelated. Akira shows code similarities to Conti ransomware and uses a TOR-based Dedicated Leak Site to negotiate ransoms, with demands ranging from 0,000 to over million. Efforts by AttackIQ aim to help organizations assess their security against these sophisticated attacks. Affected: Ransomware, Cybersecurity, Organizations
Keypoints :
- Akira ransomware operates under a Ransomware-as-a-Service model.
- It emerged in March 2023 and is unrelated to the earlier ransomware of the same name from 2017.
- Akira has links to Conti ransomware based on code similarities.
- Operators use a TOR-based Dedicated Leak Site for victim negotiations.
- Ransom demands range from 0,000 to over million.
- AttackIQ has developed an emulation to help organizations evaluate their security controls.
- Continuous validation of security against Akira ransomware’s behaviors is essential for reducing risk.
MITRE Techniques :
- Ingress Tool Transfer (T1105): Downloads malware to test network and endpoint controls.
- System Information Discovery (T1082): Executes GetSystemInfo and Windows API calls to gather system information.
- Query Registry (T1012): Queries registry for the MachineGUID, the system’s unique identifier.
- Inhibit System Recovery (T1490): Deletes Volume Shadow Copies to prevent recovery of encrypted files.
- Data Encrypted for Impact (T1486): Performs encryption routines on targeted files.
Indicator of Compromise :
- [Domain] .onion (TOR-based site for victim negotiations)
- [Malware Emulation] Akira Ransomware – 2024-12
Full Story: https://www.attackiq.com/2025/02/26/emulating-akira-ransomware/