Threat Research

Indicators of Akira Ransomware | Huntress

Securonix

Huntress analysts detail indicators and tactics tied to Akira ransomware, emphasizing the need for early detection and continuous monitoring. They highlight threat actors creating new user accounts, exploiting MSSQL servers, and using RDP for unauthorized access, with Cloudflared tunnels detected in some infrastructures; recommendations focus on asset inventories and enhanced monitoring. #AkiraRansomware #Huntress #MSSQL #RDP #Cloudflared #WIN-JGRMF8L11HO

Keypoints

  • Huntress analysts track Akira ransomware attacks and their precursors.
  • New user accounts are created by threat actors to facilitate attacks.
  • RDP can be enabled on endpoints, allowing unauthorized access.
  • Cloudflared tunnels have been detected in customer infrastructures.
  • Recommendations include asset inventory, attack surface reduction, and enhanced monitoring.
  • Indicators of early-stage activity can help inhibit follow-on encryption.

MITRE Techniques

  • [T1078.003] Create Account – Threat actors create new user accounts via type 3 network connections or MSSQL server access. ‘Threat actors create new user accounts via type 3 network connections or MSSQL server access.’
  • [T1076] Remote Desktop Protocol – RDP is enabled on endpoints to allow unauthorized access. ‘RDP is enabled on endpoints to allow unauthorized access.’
  • [T1059] Command and Scripting Interpreter – Commands are executed to modify registry settings for RDP access and to hide user accounts. ‘Commands are executed to modify registry settings for RDP access and to hide user accounts.’
  • [T1486] Data Encrypted for Impact – File encryption malware is deployed to encrypt files, with specific command line usage observed. ‘File encryption malware is deployed to encrypt files, with specific command line usage observed.’

Indicators of Compromise

  • [Hostname] WIN-JGRMF8L11HO – threat actor’s workstation name
  • [File Extension] akira – Encrypted file extension
  • [Filename] akira_readme.txt – Akira ransom note file name
  • [Password] Noface66Nocase! – Password observed used during new account creation, and when account password has been changed
  • [Hash] 3b7fc61649badd73986a86d39124b69aa2c7b6ecdb1d448137080579dc4990f2 – SHA256 hash for one instance of w.exe

Read more: https://www.huntress.com/blog/akira-ransomware-indicators

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint