Threat Research

Cyble – Unraveling Akira Ransomware

Securonix

Akira is a newly observed ransomware strain that uses double-extortion by exfiltrating data before encryption and threatening publication or sale of stolen information. Cyble CRIL documents its behavior, including drive enumeration, file targeting, ransom notes, and leak-site activity that lists victims and negotiation channels. Hashtags: #AkiraRansomware #CRIL #Cyble #UnitedStates #Canada #OnionSite

Keypoints

  • Akira is a ransomware strain primarily impacting the United States and Canada across multiple sectors (BFSI, Construction, Education, Healthcare, Manufacturing, etc.).
  • It uses double-extortion: exfiltrates data and encrypts it, then threatens to leak or sell data on the dark web if the ransom isn’t paid.
  • The malware enumerates drives with GetLogicalDriveStrings() and searches for files to encrypt using FindFirstFileW()/FindNextFileW().
  • Ransom notes are dropped as akira_readme.txt in multiple folders and encrypted files are renamed with a .akira extension.
  • Encryption relies on Microsoft CryptoAPI (RSA and AES) with a fixed hardcoded base64 public key.
  • Shadow copies are deleted via a PowerShell command invoking a WMI query to hinder system restoration.
  • Leak-site features include a “news” list of victims and a “leaks” command, with an onion-based contact channel for negotiations and potential public exposure.

MITRE Techniques

  • [T1204] User Execution – The ransomware executes and uses the API function GetLogicalDriveStrings() to obtain a list of the logical drives currently available in the system. “When the ransomware is executed, it uses the API function GetLogicalDriveStrings() to obtain a list of the logical drives currently available in the system.”
  • [T1047] Windows Management Instrumentation – PowerShell command is used to interact with system components to delete shadow copies via WMI. “Additionally, the ransomware utilizes a PowerShell command, shown in Figure 9, to execute a WMI query that deletes the shadow copy, preventing system restoration.”
  • [T1059] PowerShell – The analysis references a PowerShell command used for destructive operation. “Figure 9 – PowerShell command to Delete Shadow copies”
  • [T1497] Virtualization/Sandbox Evasion – The technique is listed in the MITRE mapping as a defense-evasion approach. “Virtualization/Sandbox Evasion”
  • [T1027] Obfuscated Files or Information – The malware uses a fixed hardcoded base64 encoded public key. “fixed hardcoded base64 encoded public key, as shown below.”
  • [T1057] Process Discovery – The MITRE mapping includes Process Discovery among the techniques. “Process Discovery”
  • [T1012] Query Registry – The MITRE mapping includes Query Registry among the techniques. “Query Registry”
  • [T1082] System Information Discovery – The MITRE mapping includes System Information Discovery. “System Information Discovery”
  • [T1083] File and Directory Discovery – The ransomware searches for files and directories to encrypt by iterating through them. “searches for files and directories to encrypt by iterating through them using the API functions FindFirstFileW() and FindNextFileW().”
  • [T1486] Data Encrypted for Impact – The ransomware exfiltrates and encrypts data using a double-extortion technique. “exfiltrates and encrypts their data using a double-extortion technique.”
  • [T1490] Inhibit System Recovery – It deletes shadow copies to hinder recovery. “deletes the shadow copy, preventing system restoration.”

Indicators of Compromise

  • [MD5] context – c7ae7f5becb7cf94aa107ddc1caf4b03
  • [SHA1] context – 923161f345ed3566707f9f878cc311bc6a0c5268
  • [SHA256] context – 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
  • [File name] – akira_readme.txt
  • [File name] – Bootmgr

Read more: https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint