Threat Research

#StopRansomware: Akira Ransomware | CISA

CISA

This advisory details Akira ransomware operations observed since 2023, describing initial access via VPN/RDP/exploited Cisco vulnerabilities, credential theft, lateral movement, exfiltration, and multi-architecture encryption using Akira/Megazord (including a Rust-based Akira_v2). It lists observed tools, commands, filenames, and hashes to aid detection and response. #Akira #Megazord #VMwareESXi

Keypoints

  • Initial access commonly achieved via VPNs without MFA, exploited Cisco AnyConnect vulnerabilities (CVE-2020-3259, CVE-2023-20269), RDP, spearphishing, or stolen/valid credentials.
  • Akira actors perform discovery and credential theft (Kerberoasting, LSASS memory dumps) using tools like Mimikatz and LaZagne, plus network scanners (SoftPerfect, Advanced IP Scanner).
  • Persistence through creation of domain accounts (e.g., ‘itadm’) and use of remote-access tools (AnyDesk, Ngrok, RustDesk, Cloudflare Tunnel) for C2 and remote control.
  • Defense evasion includes disabling security products (PowerTool exploiting Zemana driver) and terminating AV processes prior to lateral movement.
  • Exfiltration uses FileZilla, WinSCP, WinRAR, and RClone to move data over FTP/SFTP/cloud storage (Mega); actors use double-extortion and publish data via Tor (.onion) sites.
  • Encryption uses a ChaCha20 + RSA hybrid, appending .akira or .powerranges (Megazord); Akira_v2 (Rust) adds runtime options (-p, -s, -n, –fork), Build ID checks, vmonly and stopvm capabilities, and deletes VSS on Windows.
  • Multiple filenames and hashes are provided for detection (e.g., w.exe, Win.exe, Akira_v2, Megazord samples), plus exploit and tool artifacts for hunting.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain access via known Cisco vulnerabilities: ‘mostly using known Cisco vulnerabilities… CVE-2020-3259 and CVE-2023-20269.’
  • [T1133] External Remote Services – Actors accessed networks via remote services: ‘use of external-facing services such as Remote Desktop Protocol (RDP)’.
  • [T1566.001] Phishing: Spearphishing Attachment – Phishing with malicious attachments used to gain access: ‘spear phishing’.
  • [T1566.002] Phishing: Spearphishing Link – Phishing with malicious links used as an initial vector: ‘spear phishing’.
  • [T1078] Valid Accounts – Actors abused legitimate credentials to access environments: ‘abuse of valid credentials’.
  • [T1136.002] Create Account: Domain Account – Persistence via created domain accounts, e.g., ‘creating an administrative account named itadm.’
  • [T1003.001] OS Credential Dumping: LSASS Memory – Credential harvesting from LSASS memory and Kerberoasting: ‘Kerberoasting… to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS)’.
  • [T1003] OS Credential Dumping – Use of credential scraping tools such as ‘Mimikatz and LaZagne’ for credential harvesting and privilege escalation.
  • [T1016] System Network Configuration Discovery – Network scanning and discovery via tools like ‘SoftPerfect and Advanced IP Scanner’ to map devices and services.
  • [T1018] Remote System Discovery – Use of net and nltest commands to enumerate domain controllers: ‘net… identify domain controllers’ and ‘nltest /dclist’.
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Disabling security products with PowerTool and terminating AV processes: ‘using PowerTool to exploit the Zemana AntiMalware driver… and terminate antivirus-related processes.’
  • [T1219] Remote Access Software – Use of legitimate remote-support tools for access/persistence: ‘AnyDesk… maliciously used by threat actors to obtain remote access.’
  • [T1090] Proxy – Use of tunneling/proxy tools such as ‘Ngrok to create a secure tunnel’ for C2/exfiltration.
  • [T1560.001] Archive Collected Data: Archive via Utility – Compressing data for exfiltration via ‘WinRAR’ and splitting archives.
  • [T1048] Exfiltration Over Alternative Protocol – Data transfer tools like ‘WinSCP’ and ‘FileZilla’ used to move exfiltrated files.
  • [T1537] Transfer Data to Cloud Account – Use of cloud storage services (e.g., ‘Mega’) to host exfiltrated data and actor-controlled accounts.
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Use of ‘RClone to sync files with cloud storage services’ for exfiltration.
  • [T1486] Data Encrypted for Impact – Final encryption of files and appending extensions: ‘Encrypted files are appended with either a .akira or .powerranges extension.’
  • [T1490] Inhibit System Recovery – Deleting volume shadow copies to prevent recovery: ‘utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems.’
  • [T1657] Financial Theft – Double-extortion ransom model used to coerce payment and publication of stolen data: ‘double-extortion model… threaten to publish exfiltrated data on the Tor network.’

Indicators of Compromise

  • [File Name] ransomware and tooling – w.exe (Akira encryptor), Win.exe (encryptor), Akira_v2, Megazord, AnyDesk.exe
  • [SHA-256 Hash] sample hashes for detection – w.exe: d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca; Akira_v2: 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75; and multiple Megazord hashes (see advisory)
  • [MD5 Hash] installer artifact – winrar-x64-623.exe: 7a647af3c112ad805296a22b2a276e7c
  • [Ransom Notes & Extensions] post-encryption artifacts – ransom note fn.txt; alternative note akiranew.txt; encrypted file extensions .akira, .powerranges, possibly .akiranew
  • [Tools/Artifacts] exfiltration and tunneling artifacts – RClone.exe (aaa647327…), WinSCP installers/hashes, Sysmon.exe used with Ngrok, and config.yml for Ngrok

Akira operations (initial access → credential theft → lateral movement → exfiltration → encryption) proceed as follows: actors commonly exploit internet-facing VPN/Cisco AnyConnect vulnerabilities (CVE-2020-3259, CVE-2023-20269), use RDP or phishing to gain a foothold, or employ stolen/valid credentials. After access they perform discovery with tools such as SoftPerfect, Advanced IP Scanner, AdFind, and PCHunter64, and enumerate domain controllers and trusts with nltest, net group/localgroup, and tasklist to map targets.

For credential access and privilege escalation, Akira actors use Kerberoasting and LSASS memory dumping (rundll32/minidump workflows), and run credential harvesters like Mimikatz and LaZagne. They establish persistence by creating domain accounts (observed account: itadm) and employ remote-access/tunneling tools (AnyDesk, Ngrok, RustDesk, Cloudflare Tunnel) for C2 and remote control, while attempting to disable or bypass security products (PowerTool exploiting the Zemana driver and terminating AV processes).

Prior to and during impact, actors exfiltrate data using FileZilla, WinSCP, WinRAR (archive/split), and RClone (sync to cloud storage such as Mega), then encrypt systems with a hybrid ChaCha20 + RSA scheme that appends .akira or .powerranges. The Rust-based Akira_v2 adds runtime flags (-p, -s, -n, –fork), thread control, Build ID run checks to thwart analysis, ‘vmonly’ and ‘stopvm’ options for VM targeting, and uses PowerShell to delete volume shadow copies; ransom notes (fn.txt or akiranew.txt) are dropped in root and user directories.

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint