Response to CISA Advisory (AA24-109A): #StopRansomware: Akira Ransomware

CISA, FBI, and NCSC-NL published AA24-109A detailing Akira ransomware TTPs and IOCs, and AttackIQ released an emulation/assessment template to validate defenses against the described behaviors. The advisory and emulation cover access via RDP brute force, credential theft (Kerberoasting, LSASS dumps), lateral movement, file encryption with .akira extension, and FTP exfiltration. #Akira #CISA #AttackIQ #Mimikatz #LaZagne #RDP

Keypoints

CISA, FBI, and NCSC-NL released advisory AA24-109A describing Akira ransomware TTPs and IOCs identified through investigations and third-party reporting.
Akira operates as Ransomware-as-a-Service (RaaS), steals data prior to encryption, and lists victims on a Tor (.onion) leak site if demands are not met.
Initial access is commonly achieved by brute forcing RDP; attackers create a local admin account named “itadm” for persistence and enumerate AD, domain controllers, and trusts.
Adversaries deploy credential theft tools and techniques including Kerberoasting, LSASS memory dumping (via rundll32/comsvcs -> MiniDump + Mimikatz), and LaZagne to harvest credentials.
Attackers move laterally using harvested credentials over RDP, then execute ransomware that deletes Volume Shadow Copies, encrypts files (appending .akira), and exfiltrates data over FTP.
AttackIQ published an attack graph/emulation mapping these behaviors to MITRE techniques to help organizations validate detection and prevention controls.
Detection and mitigation guidance emphasizes monitoring for LSASS-dump behaviors, shadow copy deletion commands, patching, privileged account management, backups, and other ATT&CK mitigations.

MITRE Techniques

[T1110.003] Credential Brute Force – RDP brute forcing to gain access, then creating persistence: (‘This stage starts immediately after the adversary has gained access by brute forcing through the Remote Desktop Protocol (RDP).’).
[T1136.001] Create Account: Local Account – Creation of a local administrative account named itadm using net user: (‘create a new account with the name itadm using net user’).
[T1069] Permission Groups Discovery – Enumerating local and domain groups using net localgroup and net group /domain: (‘enumerat[e] permission groups using the net localgroup and net group /domain commands’).
[T1018] Remote System Discovery – Using nltest and Adfind to list domain controllers and perform Active Directory discovery: (‘executes the nltest command to gather a list of domain controllers’ / ‘perform Active Directory discovery by leveraging the Adfind utility’).
[T1482] Domain Trust Discovery – Calling nltest /trusted_domains to retrieve trusted AD domains: (‘calls the native nltest utility with the /trusted_domains option to retrieve a list of trusted Active Directory domains’).
[T1105] Ingress Tool Transfer – Downloading and saving tools such as a Kerberos ticket dumper to memory/disk to enable further actions: (‘downloads to memory and saves to disk … to prevent the delivery of known malicious samples’).
[T1558.003] Steal or Forge Kerberos Tickets: Kerberoasting – Implementing Kerberoasting to extract password hashes for SPN accounts: (‘implement the Kerberoasting technique … extract password hashes for accounts using their Service Principal Name (SPN) ticket’).
[T1003.001] OS Credential Dumping: LSASS Memory – Dumping LSASS to a MiniDump via rundll32.exe + comsvcs.dll, then using Mimikatz to extract credentials: (‘dump it in a MiniDump file, which will then be used by Mimikatz to acquire credentials’).
[T1003] OS Credential Dumping – Using LaZagne to dump stored credentials when other credential access fails: (‘the adversary will resort to the credential stealer known as LaZagne’).
[T1217] Browser Bookmark Discovery – Flushing WebCache to extract browser data from WebCacheV01 and copying DB for analysis: (‘iterate through each user profile … flush the data from the WebCache log files back to the WebCacheV01 database’).
[T1021.001] Remote Services: RDP – Lateral movement to discovered hosts using RDP and harvested credentials: (‘use the dumped credentials to move laterally … through Remote Desktop Protocol (RDP)’).
[T1490] Inhibit System Recovery – Deleting Volume Shadow Copies via WMI to prevent recovery prior to encryption: (‘attempt to delete a recent Volume Shadow Copy … using Get-WMIObject Win32_ShadowCopy’).
[T1082] System Information Discovery – Retrieving system information (GetSystemInfo) as part of preparation to encrypt: (‘executes the GetSystemInfo Native API call to retrieve information associated to the system’).
[T1486] Data Encrypted for Impact – Enumerating files by extension and performing in-place encryption using Akira’s algorithm, appending .akira: (‘Files matching an extension list are identified and encrypted in place … append the .akira extension’).
[T1048] Exfiltration Over Alternative Protocols – Using FTP to transfer exfiltrated data off the compromised host to support double extortion: (‘exfiltrate the collected information via File Transfer Protocol (FTP)’).

Indicators of Compromise

[File Extension] Encrypted file marker – .akira (files encrypted by this ransomware append the .akira extension).
[Network/Leak Site] Victim contact/leak infrastructure – Tor .onion negotiation/listing site (Tor leak/contact site used by Akira), and other Tor domains.
[Tool/Binary] Credential theft tools observed – Mimikatz, LaZagne (used to extract credentials and dump stored passwords).
[Files/Artifacts] Dump and database artifacts – MiniDump of LSASS, NTDS.dit attempts (AD database dump via ntdsutil), and copies of WebCacheV01 database for browser data extraction.
[Protocols] Exfiltration protocol – FTP used to transfer stolen data off-host (exfiltration over FTP to attacker-controlled server).

Attack flow and technical procedure: Akira operations typically begin with RDP brute force to gain an initial foothold, followed by creating a local administrative account (itadm) and enumerating domain topology (net localgroup, net group /domain, nltest, Adfind) to identify domain controllers and trusted domains. Operators download tools (ingress tool transfer) including Kerberos ticket dumpers to perform Kerberoasting for service account hashes, then attempt LSASS memory extraction via rundll32/comsvcs -> MiniDump and process the dump with Mimikatz; if that fails they run LaZagne to harvest stored credentials. Using harvested credentials, attackers move laterally over RDP to previously identified hosts.

Post-compromise, adversaries delete volume shadow copies via WMI (Get-WMIObject Win32_ShadowCopy) to inhibit recovery, gather system information (GetSystemInfo), and run file-encryption routines that identify files by extension and encrypt them in place using Akira’s algorithm, resulting in files bearing the .akira extension. Before or after encryption they collect sensitive data (including browser artifacts extracted from WebCacheV01) and export it over FTP to support double extortion and public disclosure on a Tor (.onion) leak site.

Detection and mitigation priorities include monitoring for RDP brute-force activity and creation of unexpected local admin accounts (e.g., itadm), detecting LSASS-dump behavior (comsvcs/rundll32 command lines and MiniDump creation), spotting PowerShell/WMI commands that delete shadow copies, and watching FTP outbound transfers. Mitigations recommended by MITRE and CISA include timely patching, strong password and privileged account management, behavior prevention on endpoints, backups, and targeted detection rules such as: Process Name == comsvcs AND Command Line CONTAINS(‘lsass’) and Process Name == powershell.exe AND Command Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print