Threat Research

Updated Response to CISA Advisory (AA24-109A): Akira Ransomware

AttackIQ
Updated Response to CISA Advisory (AA24-109A): Akira Ransomware

CISA, FBI, and international partners updated a joint advisory documenting Akira ransomware TTPs and IOCs based on investigations through November 2025, noting its RaaS model, data exfiltration, TOR-based leak site, and ransom demands up to multi-million dollars. The advisory and related AttackIQ attack graph detail post-compromise behaviors including credential dumping, lateral movement, file exfiltration, and ChaCha20/RSA-4096 encryption. #Akira #Rubeus

Keypoints

  • CISA, FBI, NCSC-NL and multiple international partners released an updated CSA on Akira ransomware incorporating findings through November 2025.
  • Akira operates as Ransomware-as-a-Service (RaaS), enabling multiple affiliates to deploy it and maintain a TOR-based Dedicated Leak Site for extortion and data publication.
  • Akira exfiltrates data before encryption and offers victims options to pay for decryption or data deletion; reported ransoms range from $200,000 to over $4,000,000.
  • Post-compromise TTPs documented include brute-force RDP access, creation of local account itadm, permission discovery, credential dumping (Mimikatz, LaZagne), and Kerberoasting (Rubeus).
  • Akira’s encryption uses ChaCha20 for files with RSA-4096 for key encryption and includes destructive actions like Volume Shadow Copy deletion and permission modification (icacls.exe).
  • AttackIQ published an updated attack graph and emulation scenarios to validate detection and prevention controls against Akira’s behaviors, with added scenarios for native API discovery and expanded lateral movement techniques.
  • Recommended expansions for emulation include RDP password brute-force and NTDS.dit dumping to better assess defenses against broader Akira capabilities.

MITRE Techniques

  • [T1136.001 ] Create Account: Local Account – Creates a local account named itadm using the net user command (“create a new account with the name itadm using net user”).
  • [T1069 ] Permission Groups Discovery Script – Enumerates permission groups using net localgroup and net group /domain commands (“enumerate permission groups using the net localgroup and net group /domain commands”).
  • [T1069.001 ] Local Administrator Accounts Discovery via “net localgroup” Command – Executes net localgroup administrators to list local admins (“executes the net localgroup administrators command to enumerate a set of users with administration privileges”).
  • [T1069.001 ] Local Administrator Accounts Discovery via “net group” Command – Executes net group “Domain Admins” /domain and net group “Enterprise Admins” /domain to enumerate privileged domain accounts (“executes the net group ‘Domain Admins’ /domain and net group ‘Enterprise Admins’ /domain commands to enumerate a set of privileged domain system accounts”).
  • [T1057 ] Process Discovery Through Tasklist – Uses tasklist to enumerate running processes (“executes the Window’s built-in tasklist command to enumerate running processes”).
  • [T1018 ] Enumerate Domain Controllers using Nltest – Runs nltest /parentdomain and nltest /dclist to gather domain controller info (“executes the nltest /parentdomain and nltest /dclist commands to gather a list of domain controllers”).
  • [T1482 ] Enumerate Trusted Domains via nltest command – Executes nltest /trusted_domains to list trusted Active Directory domains (“executes the nltest /trusted_domains command to retrieve a list of trusted Active Directory domains associated with the host”).
  • [T1018 ] Active Directory Discovery using AdFind – Leverages AdFind to enumerate AD configuration, accounts, groups, and computers (“leverages the AdFind utility to discover details about the Active Directory configuration including accounts, groups, computers, and subnets”).
  • [T1105 ] 2023-08 Kerberos Ticket Dumper (Sample download) – Downloads a Kerberos Ticket Dumper sample to test controls (“Kerberos Ticket Dumper Sample (SHA256: 5e1e3bf6…) is downloaded and saved to disk”).
  • [T1558.003 ] Kerberoasting using Rubeus – Implements Kerberoasting with Rubeus to extract service account hashes (“implement the Kerberoasting technique using the Rubeus utility… to attempt to extract password hashes for accounts using their SPN ticket”).
  • [T1003.001 ] Dump LSASS Process to Minidump File – Uses rundll32.exe with comsvcs.dll to export LSASS memory to a minidump (“executes rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk”).
  • [T1003.001 ] OS Credential Dumping: LSASS Memory – Runs Mimikatz against a minidump to extract credentials (“executes the Mimikatz utility to extract credentials from a specified MiniDump file”).
  • [T1003 ] OS Credential Dumping (LaZagne) – Uses LaZagne to extract stored credentials from the environment (“employs the open-source tool LaZagne to extract all available credentials from the compromised environment”).
  • [T1003.002 ] Dump SYSTEM Registry Hive via “reg save” Command – Saves HKLMSYSTEM hive to a file using reg save (“attempts to save a copy of the HKLMSYSTEM registry hive to a temporary file by executing the reg save command”).
  • [T1021.001 ] Lateral Movement Through Remote Desktop Protocol – Attempts RDP connections to previously identified systems (“attempts to remotely connect to an accessible system via Remote Desktop Protocol (RDP)”).
  • [T1047 ] Lateral Movement Through Impacket’s WMIEXEC Class – Uses Impacket WMIEXEC for remote command execution (“employs the Impacket utility to execute the WMIEXEC class, to remotely connect to an accessible system via the WMI protocol”).
  • [T1021.004 ] Lateral Movement Through SSH – Attempts lateral connections via SSH (“attempts to remotely connect to an accessible system via Secure Shell (SSH)”).
  • [T1105 ] 2024-02 Akira Ransomware (Sample download) – Downloads the 2024-02 Akira sample to disk for testing protections (“2024-02 Akira Ransomware Sample (SHA256: 2727c73f…) is downloaded and saved to disk”).
  • [T1082 ] System Information Discovery via “GetSystemInfo” Native API – Calls GetSystemInfo to retrieve hardware and OS details (“executes the GetSystemInfo Windows API call to retrieve information associated to the system”).
  • [T1057 ] Process Discovery via Native API – Uses CreateToolhelp32Snapshot, Process32FirstW, Process32NextW to list processes (“uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW”).
  • [T1012 ] Obtain MachineGUID from Cryptography Registry Key using “reg query” Command – Queries HKLMSOFTWAREMicrosoftCryptography MachineGUID (“queries the MachineGUID value located within the HKLMSOFTWAREMicrosoftCryptography registry key”).
  • [T1005 ] Copy a file using “esentutl.exe” Script – Uses esentutl.exe to extract and copy targeted data from local databases (“executes the esentutl.exe utility to collect files from the system, leveraging its database extraction capabilities”).
  • [T1490 ] Delete created Volume Shadow Copy using “WMI Object” – Deletes Volume Shadow Copies via WMI (Get-WMIObject Win32_ShadowCopy) (“executes the Get-WMIObject Win32_ShadowCopy PowerShell command to delete a Volume Shadow Copy”).
  • [T1680 ] Logical Drive Discovery via “GetLogicalDriveStringsW” Native API – Calls GetLogicalDriveStringsW to enumerate physical drives (“executes the GetLogicalDriveStringsW Windows API call to retrieve information regarding the system’s physical drives”).
  • [T1680 ] Drive Type Discovery via “GetDriveTypeW” Native API – Calls GetDriveTypeW to determine drive types (“retrieves information about the system’s physical disks by executing the GetDriveTypeW Windows API call”).
  • [T1083 ] File and Directory Discovery via “FindFirstFileW” and “FindNextFileW” Native API – Enumerates filesystem entries using FindFirstFileW/FindNextFileW (“executes the FindFirstFileW and FindNextFileW Windows native API calls to enumerate the file system”).
  • [T1222.001 ] Windows File and Directory Permissions Modification – Uses icacls.exe to grant Full rights to files (“employs the icacls.exe utility to modify file permissions to grant explicit Full (F) rights on a generated temporary file”).
  • [T1486 ] Akira File Encryption – Performs file encryption routines using ChaCha20 for files and RSA-4096 for key encryption (“performs the file encryption routines used by common ransomware families… encrypted in place using similar encryption algorithms as used by Akira ransomware”).

Indicators of Compromise

  • [File Hash ] Known malicious samples used in testing – 2023 Kerberos Ticket Dumper SHA256: 5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32, 2024-02 Akira SHA256: 2727c73f3069457e9ad2197b3cda25aec864a2ab8da3c2790264d06e13d45c3d.
  • [File Name/Utility ] Tools and utilities abused – esentutl.exe for data extraction, icacls.exe for permission modification, rundll32.exe with comsvcs.dll for LSASS minidump creation.
  • [Command/Registry ] Registry and API indicators – queries to HKLMSOFTWAREMicrosoftCryptographyMachineGUID via reg query, reg save of HKLMSYSTEM hive, and use of GetSystemInfo/GetLogicalDriveStringsW/GetDriveTypeW native APIs.
  • [Network/Service ] Remote access and leak site indicators – brute-force and RDP access attempts, use of Impacket WMIEXEC and SSH for lateral movement, and a TOR-based Dedicated Leak Site (.onion) for victim contact and data listing.
  • [Other IOCs ] Credential tools and samples – use of Rubeus for Kerberoasting, Mimikatz and LaZagne for credential extraction, and mention of additional hashes and samples used in reporting (and 2 more hashes).

Read more: https://www.attackiq.com/2025/11/18/updated-response-to-cisa-advisory-aa24-109a/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint