Keypoints
- Akira operates as RaaS and has reportedly impacted over 196 organizations across North America, the UK, and Australia.
- Initial access is achieved via compromised valid accounts and exploitation of public-facing vulnerabilities (multiple CVEs cited).
- Extensive reconnaissance and credential harvesting are performed using tools like Get-ADUser, AdFind, SharpHound, Mimikatz, and NTDS dumps.
- Lateral movement leverages RDP, network shares, and Psexec; C2/persistence tools include AnyDesk, SystemBC, Ngrok, and scheduled tasks or new accounts.
- Defense-evasion includes disabling Windows Defender, registry modifications to hide accounts and enable restricted logins, BYOVD attacks, and using VMs to obscure activity.
- Attackers archive and exfiltrate data with tools such as Rclone, WinSCP, and FileZilla, then delete backups/shadow copies and encrypt files with the ChaCha algorithm.
- The ransomware accepts command-line options for targeted paths, network shares, encryption percentage, exclusions, and logs activity to timestamped log files.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to gain entry by exploiting vulnerabilities: [‘Exploiting vulnerabilities such as CVE-2021-21972, CVE-2019-6693, CVE-2022-40684 and CVE-2023-20269’]
- [T1133] External Remote Services – Use of external remote services for access: [‘Uses external remote services for access.’]
- [T1078] Valid Accounts – Initial access and lateral movement using valid credentials: [‘Compromised credentials, likely purchased from initial access brokers for entry points that did not use MFA.’]
- [T1083] File and Directory Discovery – Enumerates directories and AD objects using discovery tools: [‘Get-ADUser, Get-ADComputer’]
- [T1018] Remote System Discovery – Scans network to identify machines for lateral movement: [‘scan the network to identify machines for Lateral Movement.’]
- [T1082] System Information Discovery – Collects system information to aid further attack steps: [‘System Information Discovery’]
- [T1564.002] Hide Artifacts: Hidden Users – Modifies registry to hide accounts from login screen: [‘Userlist registry modification to hide accounts on login screen.’]
- [T1564.006] Hide Artifacts: Run Virtual Instance – Uses VMs to conceal adversary behavior: [‘Creation of new VM to hide adversary behavior.’]
- [T1021.001] Remote Services: Remote Desktop Protocol – Uses RDP for lateral movement: [‘RDP’]
- [T1003] OS Credential Dumping – Dumps credentials using tools and techniques like Mimikatz and NTDS dumps: [‘Mimikatz’, ‘NTDS dump’]
- [T1560] Archive Collected Data – Archives stolen data prior to exfiltration: [‘They then collect files, archive them, and exfiltrate them.’]
- [T1219] Remote Access Software – Uses remote access tools for control and persistence: [‘Anydesk’, ‘Radmin’, ‘RustDesk’]
- [T1020] Automated Exfiltration – Exfiltrates data using automated transfer tools: [‘WinScp’, ‘FileZilla’, ‘Rclone’]
- [T1486] Data Encrypted for Impact – Encrypts data to compel ransom payments and uses ChaCha algorithm: [‘Data encrypted’, ‘uses the ChaCha algorithm for file encryption.’]
- [T1491.001] Defacement: Internal Defacement – Modifies internal systems to disrupt operations: [‘Modifies internal systems to disrupt operations.’]
Indicators of Compromise
- [File Hash] Akira sample MD5s – e57340a208ac9d95a1f015a5d6d98b94, e8139b0bc60a930586cf3af6fa5ea573, and 4 more hashes
- [File Name] Ransomware log format – Log-date-month-year-hour-minute-second.txt (ransomware execution logging)
- [Command] Shadow copy deletion – powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject” (used to delete backups before encryption)
Akira technical procedure (concise rewrite):
Initial access typically comes from compromised valid credentials (often purchased from initial access brokers) and exploitation of public-facing vulnerabilities including CVE-2021-21972, CVE-2019-6693, CVE-2022-40684, and CVE-2023-20269. Once inside, operators perform Active Directory and network reconnaissance using commands/tools like Get-ADUser/Get-ADComputer, AdFind, SharpHound, SoftPerfect Network Scanner, Advanced IP Scanner, MASScan, and reconftw to map hosts and prioritize targets for lateral movement.
Credential harvesting is conducted with techniques such as Comsvcs.dll dumping of lsass, Mimikatz, LaZagne, and NTDS dumps; lateral movement is performed via RDP, network shares, and Psexec, while C2 and remote control are handled through tools like SystemBC, NetCat, AnyDesk, Radmin, ngrok/Cloudflare Tunnel, RustDesk, Mobaxterm, and SSH. Persistence methods include scheduled tasks, creating new accounts, or abusing compromised valid accounts. Defense evasion tactics observed include disabling Windows Defender and adding exclusions, registry modifications to hide user accounts and allow restricted admin logons, BYOVD-style termination of security processes (e.g., using Terminator), and even spinning up VMs to obscure activity.
Before encryption, attackers collect and archive sensitive files and exfiltrate them using Rclone, WinSCP, or FileZilla; they also destroy backups (Veeam backups and shadow copies) using commands such as powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”. The ransomware accepts command-line options to set encryption path (-p/–encryption_path), network share (-s/–share_file), encryption percentage (-n/–encryption_percent), local-only targeting (-localonly), exclusions (-e/–exclude), and log display (-l). Akira kills processes using Windows Restart Manager APIs to free files, logs activity to timestamped files (Log-date-month-year-hour-minute-second.txt), encrypts data with the ChaCha algorithm, and posts exfiltrated data to a TOR leak site if ransom is not paid.