Global_Rise_of_Akira

The Akira ransomware group has been operational since March 2023, employing a “double extortion” strategy that involves data exfiltration before encryption and threats of public exposure if ransoms are not paid. Their attacks have predominantly targeted sectors like Education, Finance, Manufacturing, and Healthcare across North America, Europe, and Australia, leading to significant financial gains exceeding million. Affected: Education, Finance, Manufacturing, Healthcare, Business Services, Critical Infrastructure

Keypoints :

Akira ransomware group first identified in March 2023.
Employs double extortion tactics by exfiltrating data before encryption.
Targets industries including Education, Finance, Manufacturing, and Healthcare.
Claimed approximately million in ransomware proceeds.
Utilizes compromised VPN credentials and exploits Cisco vulnerabilities for initial access.
Acts as a Ransomware-as-a-Service (RaaS) model with over 350 organizations compromised.
Utilizes tools such as AnyDesk, RClone, and WinSCP for data exfiltration.
Encrypts data using a combination of ChaCha20 and RSA for secure key exchange.
Threatens to publish exfiltrated data on public sites if the ransom is not paid.

MITRE Techniques :

Initial Access: Valid Accounts (T1078) – Akira actors misuse credentials of existing accounts for access.
Initial Access: Exploit Public Facing Application (T1190) – Exploits vulnerabilities in internet-facing systems for access.
Initial Access: External Remote Services (T1133) – Utilizes remote access services like RDP/VPN for entry.
Credential Access: OS Credential Dumping (T1003) – Uses tools like Mimikatz and LaZagne to dump credentials.
Persistence: Create Account: Domain Account (T1136.002) – Establishes persistence by creating new domain accounts.
Defense Evasion: Impair Defenses: Disable or Modify Tools (T1562.001) – Disables antivirus software using BYOVD attacks.
Command and Control: Remote Access Software (T1219) – Uses legitimate software like AnyDesk for remote access.
Exfiltration: Exfiltration Over Alternative Protocol (T1048) – Employs tools like WinSCP for transferring data.
Impact: Data Encrypted for Impact (T1486) – Encrypts data on systems to interrupt availability.

Indicator of Compromise :

[File] w.exe
[File] Win.exe
[File] AnyDesk.exe
[File] Rclone.exe
[File] Akira_v2

Full Story: https://darkatlas.io/blog/akira-ransomware-road-to-glory

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print

Global_Rise_of_Akira_Ransomware