A threat actor breached a victim environment, accessed a hypervisor, created a new virtual machine, and used it to stage and launch Akira ransomware. The investigation also found use of Easyupload.io via LimeWire, WinRAR, and WinSCP for staging and likely exfiltration, along with rapid disabling of Microsoft Defender and little effort to hide activity. #Akira #LimeWire #Easyuploadio #WinRAR #WinSCP #MicrosoftDefender
Keypoints
- The attacker accessed a hypervisor and created a new VM to stage Akira ransomware.
- Microsoft Defender was quickly disabled on the newly created virtual machine.
- WinRAR and WinSCP were used to archive and transfer staged data.
- Easyupload.io through LimeWire was likely used for data exfiltration.
- Logs and artifacts showed a fast attack flow with little anti-forensic effort.
Read More: https://www.huntress.com/blog/akira-ransomware-limewire-data-exfiltration