The Akira ransomware group has generated around $42m in proceeds in the period from March 2023 to January 2024, according to a joint advisory from Europol and US and Dutch government agencies.
The ransomware-as-a-service (RaaS) actor is believed to have impacted over 250 organizations across North America, Europe and Australia during this period, with a wide range of businesses and critical infrastructure organizations falling victim.
The advisory, released by the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL), warned organizations about Akira’s evolving tactics, techniques and procedures (TTPs) and advised on how to defend against them.
How Akira Infects Organizations with Ransomware
Akira is a relatively new cybercriminal group, appearing to launch in Q1 2023. Since then, the FBI’s Internet Crime Report 2023 found that Akira was the third most common ransomware variant to impact critical infrastructure in 2023, behind LockBit and ALPHV/BlackCat.
The new advisory noted that Akira threat actors initially focused on Windows systems, but in April 2023 developed a Linux variant targeting VMware ESXi virtual machines.
Akira affiliates use strains written in C++ and Rust, and use both .akira and .powerranges extensions.
Initial access techniques used by Akira threat actors include:
- Using known Cisco vulnerabilities to access organizations through a virtual private network (VPN) service without multi-factor authentication (MFA) configured
- Use of external-facing services such as Remote Desktop Protocol (RDP)
- Spear phishing attacks
- Credential abuse
Following initial access, affiliates create new domain accounts to establish persistence. They have also been observed leveraging post-exploitation attack techniques, such as Kerberoasting, to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS).
Credential scraping tools like Mimikatz and LaZagne are used to aid in privilege escalation, while other tools like SoftPerfect and Advanced IP Scanner are often used for reconnaissance purposes.
To increase the chances of success, some Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event.
They also commonly disable victims’ security software to avoid detection, such as using PowerTool to exploit the Zemana AntiMalware driver and terminate antivirus-related processes.
Exfiltration and Encryption Techniques
Tools such as FileZilla, WinRAR, WinSCP and RClone are leveraged by Akira affiliates to exfiltrate data from victims.
Exfiltration is enabled through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega, with readily available tools like AnyDesk and Cloudflare tunnel used to establish command and control channels.
The advisory observed that Akira actors typically employ a double-extortion model, whereby systems are encrypted after exfiltrating data.
This allows them to apply further pressure to victims by threatening to publish exfiltrated data on the Tor network.
The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via a .onion URL. Ransom payments are requested in Bitcoin to cryptocurrency wallet addresses provided by the threat actors.
A sophisticated hybrid encryption scheme is employed to lock data, capable of full or partial encryption.
System recovery is further inhibited by Akira’s encryptor using PowerShell commands to delete volume shadow copies (VSS) on Windows systems.
How to Defend Against Akira Attacks
The FBI, CISA, EC3, and NCSC-NL provided a range of recommendations for defenders to protect against the tactics employed by Akira, including:
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location
- Require all accounts with password logins to comply with the National Institute of Standards and Technology (NIST) guidance
- Enforce MFA for all services, particularly webmail, VPNs and accounts that access critical systems
- Keep all operating systems, software and firmware up to date, with timely patching
- Employ network segmentation to prevent the spread of ransomware in the system
- Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems
- Implement time-based access for accounts set at the admin level and higher
- Disable command-line and scripting activities and permissions
- Ensure all backup data is encrypted and immutable