Akira – The old-new style crime

MITRE Techniques

• [T1059.001] PowerShell – Execution via PowerShell to run the Akira sample with parameters. Quote: “Process powershell.exe | cmd.exe > (Command) –encryption_path|-p|–share_file|-s|–localonly|-l|–encryption_percent|-n”
• [T1059.003] Windows Command Shell – Execution via Windows CMD to run the Akira sample with parameters. Quote: “(Process) powershell.exe | cmd.exe > (Command) …”
• [T1074] Log control creation by Akira – Creation of a control log by Akira. Quote: “(File-Write) [Ll]og-d{2}-d{2}-d{4}-d{2}-d{2}-d{2}.txt”
• [T1490] Delete shadows using WMI – Akira uses PowerShell to delete shadow copies via WMI. Quote: “(Process) powershell.exe > (Command) powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject””
• [T1486] Write readme file by Akira – Creation of the ransomware readme. Quote: “(File-Write) Akira_Readme.txt | help-you.txt”
• [T1136] Account creation prior to attack – Accounts are created for better management of targeted infrastructure prior to impacts. Quote: “(Process) cmd.exe > (Command) cmd.exes+/[qQ]s+/[cC]s+nets+users+/(dom|domain|add)s+d>.*d{1,3}.d{1,3}.d{1,3}.d{1,3}”
• [T1003] Dumping credentials via LSASS, SAM & NTDS – Credentials dumped to obtain more users. Quote: “(Command) cmd*/c*comsvcs.dll, MiniDump*lsass*full (Command) cmd*/c*-c -i*NTDS*-o* (Command) cmd*/c*-c -i*SYSTEM*-o* (Command) ntdsutil*ac i ntds*ifm*createfull*q q”
• [T1087] AD account discovery – Queries to map Active Directory infrastructure. Quote: “(Command) Get-ADComputer|Get-AdUser s+-Filter.*-Prop.*Select-Object.*”
• [T1562] Modify FW and disable defenses – Firewall rules added and real-time monitoring disabled. Quote: “(Command) netsh advfirewall firewall add rule name=*dir=*protocol=TCP*localport=*action=allow (Command) Set-MpPreference -DisableRealtimeMonitoring $true”