Threat Research

Akira Ransomware

Securonix

Akira ransomware operates as a double-extortion threat, exfiltrating data before encrypting devices and leaking the stolen data if ransom isn’t paid. Technical analysis shows a C++-based, 64-bit Windows malware using ChaCha and RSA for encryption, shadow-copy deletion, multi-threading, and a structured command-line interface; victims span multiple sectors worldwide. #AkiraRansomware #AkiraLeakSite

Keypoints

  • Akira is a ransomware family active since early 2023, employing a double extortion model with data exfiltration prior to encryption.
  • Initial access commonly involves MFA exploitation (CVE-2023-20269), vulnerabilities in public-facing services like RDP, and spear phishing.
  • Escalation/lateral movement rely on LSASS memory dumps and using RDP to reach other machines, with tools such as Mimikatz, LaZagne, and PCHunter64.
  • Data is exfiltrated before encryption; uploaded content has been observed using RClone, WinSCP, and FileZilla.
  • Technical analysis: malware is written in C++, targets 64-bit Windows, and uses a CLI-based approach with multiple encryption-related arguments.
  • Encryption uses ChaCha with an embedded RSA key, appends a .akira extension, and excludes certain file types (e.g., .exe, .dll, .sys, .msi, .lnk, akira_readme.txt).
  • Shadow copies are deleted via a PowerShell command obtained and executed by the malware, aided by WMI calls to verify success.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – MFA exploitation (i.e. CVE-2023-20269) is mostly used in observed campaigns, along with known vulnerabilities in public facing services, such as RDP. Quote: “MFA exploitation (i.e. CVE-2023-20269) is mostly used in observed campaigns, along with known vulnerabilities in public facing services, such as RDP.”
  • [T1021.001] Remote Services: Remote Desktop Protocol – Quote: “RDP is used to connect to other machines within the network while moving laterally.”
  • [T1003.001] OS Credential Dumping: LSASS Memory – Quote: “To escalate privileges and/or move laterally, LSASS dumps are used.”
  • [T1059] Command and Scripting Interpreter: PowerShell – Quote: “The command is decrypted, and subsequently executed. The command is given below and is used to delete the shadow copies on the device.”
  • [T1047] Windows Management Instrumentation – Quote: “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject.”
  • [T1106] Native API – Quote: “Using CryptAcquireContextW. This call returns a handler to the Windows cryptographic context.”
  • [T1222] Exploit Public-Facing Application – Quote: “The encryption-related code references public-key cryptography via WinAPI calls and ChaCha encryption.”
  • [T1486] Data Encrypted for Impact – Quote: “The type of encryption to apply. Files until 2 megabytes in size will be encrypted for 50%.”
  • [T1490] Inhibit System Recovery – Quote: “GetSystemInfo… The command is decrypted, and subsequently executed. … to delete the shadow copies on the device.”
  • [T1583] Acquire Infrastructure (Compromise Infrastructure) – Quote: “Compromise Infrastructure.”

Indicators of Compromise

  • [File Hash] context – MD5: f526a8ea744a8c5051deefbf2c6010af, SHA-1: d4f6241abe5f46e6b18f10da95d004924eac4ed3, and SHA-256: 8bfa4c2c1065b105ec80a86f460e0e0221b39610109cc6cd4b441dd86e6b4aef
  • [File Extension] context – .akira
  • [File Name] context – akira_readme.txt

Read more: https://www.trellix.com/about/newsroom/stories/research/akira-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint