Executive Summary

First Identified:
March 2023

Operation Style:
is a ransomware variant and ransomware deployment entity active since at least March 2023.Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement. [Akira] operations are associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates multiple overlaps with and similarities to conti malware.

Extortion method:
Double Extortion – combining the traditional ransomware extortion method (encryption) with exfiltration of victim’s sensitive data; the group threatens to leak the data via a data leak site if the ransom demand is not paid.

Most Frequently Targeted Industry:
Education, Finance, Manufacturing, and Healthcare.

Most Frequently Targeted Victim HQ region:
North America, Europe, and Australia.

Known Associations:
GOLD SAHARA, PUNK SPIDER.

Description

The Akira ransomware group has been active since March 2023, targeting diverse industries across North America, the UK, and Australia. Operating as a Ransomware-as-a-Service (RaaS) model, Akira employs a double-extortion strategy by stealing sensitive data before encrypting it. According to their leak site, the group claims to have compromised over 350 organizations. 

From November 13 to 14, the Akira ransomware group posted over 30 new victims on their data leak site, marking their highest single-day total since they began operations in March 2023. This milestone represents a record-breaking escalation in their activities and the volume of leaks shared in one day.  

The Akira ransomware blog is organized into five sections. The “Leaks” section lists victims who refused to pay the ransom, leading the group to publicly release their encrypted data. The “News” section highlights new victims, likely organizations currently engaged in ransom negotiations. 

In the ‘Leaks’ section we’ve seen 3 victims that already been published on the ‘News’ section, and 29 new ones. In the ‘News’ section, we’ve seen 3 new victims. Which basically means that 32 new victims were published in the group’s DLS, and three more refused to pay the ransom and were added to the ‘Leaks’ section.

Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.

Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension.  Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.

The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Previous Target: Akira

Of the 35 total posts, 25 originate from the United States. Canada accounts for two, while the remaining posts come from Uruguay, Denmark, Germany, the United Kingdom, Sweden, the Czech Republic, and Nigeria. 

The Business Services sector is the most frequently targeted, with 10 organizations affected. Other impacted industries include Manufacturing, Construction, Retail, Technology, Education, and Critical Infrastructure.

From November 13 to 14, the Akira ransomware group posted over 30 new victims on their data leak site, marking their highest single-day total since they began operations in March 2023.

As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.

Data Leak Site: Akira

Known Exploited CVEs

(CVE-2023-20269)

A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features.

(CVE-2020-3259)

A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to retrieve memory contents on an affected device, which could lead to the disclosure of confidential information. The vulnerability is due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. An attacker could exploit this vulnerability by sending a crafted GET request to the web services interface. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information. Note: This vulnerability affects only specific AnyConnect and WebVPN configurations.

Associations: Akira

PUNK SPIDER
PUNK SPIDER is the Big Game Hunting (BGH) adversary (first identified in April 2023) responsible for developing and maintaining Akira ransomware and its associated Akira dedicated leak site (DLS). Tactics, Techniques, and Procedures (TTPs) associated with Akira ransomware deployments include significant use of legitimate repurposed software and Open-Source penetration-testing tools.

GOLD SAHARA
GOLD SAHARA is a cybercrime group that deploys Akira ransomware. The first Akira victim was named on a dedicated leak site in April 2023. There is no evidence that Akira is operated as ransomware-as-a-service (RaaS), but the rate of naming victims on the Akira leak site, at around 30 a month, suggests a large group of individuals is responsible for Ransomware deployment.

GOLD SAHARA exclusively uses off-the-shelf tools and built-in utilities to conduct its operations. After compromising VPN accounts for initial access, the group uses Advanced IP Scanner and the SoftPerfect Network Scanner for network discovery, and the built-in Nltest Windows utility to identify Domain trusts and domain controllers. It uses AnyDesk and PuTTy for remote access, and the WinRAR archiving tool to stage data for exfiltration using Rclone. The group has also been observed accessing and downloading SharePoint files to use in extortion attempts. Prior to deploying ransomware, GOLD SAHARA deletes Administrator Accounts, likely to hinder recovery efforts.

Known Tools: Akira

indicates behaviors that have been observed by DarkAtlas Team.

Malicious Files Affiliated with Akira Ransomware:

Observed Akira Behaviors: Windows

Initial Access

The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured, mostly using known Cisco vulnerabilities Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP) , spear phishing Phishing,Spearphishing and the abuse of valid credentials.

Persistence and Discovery

Once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence. In some instances, the FBI identified Akira threat actors creating an Administrative Account named itadm.

According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting to extract Credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Akira threat actors also use credential scraping tools like Mimikatz and LaZagne to aid in privilege escalation. Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes and net Windows commands are used to identify domain controllers and gather information on domain trust relationships

Defense Evasion

Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity. Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”).

As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver

Exfiltration and Impact

Akira threat actors leverage tools such as FileZilla, WinRAR , WinSCP, and RClone to exfiltrate data To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel. Enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega to connect to exfiltration servers.

Akira threat actors use a double-extortion model after exfiltrating data. The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via .onion URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called Victimized companies, according to FBI reporting.

Encryption

Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange . This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption. Encrypted files are appended with either a .akira or .powerranges extension. To further inhibit system recovery, Akira’s encryptor (w.exe) utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems . Additionally, a ransom note named fn.txt appears in both the root directory (C:) and each users’ home directory (C:\Users).

Trusted third party analysis identified that the Akira_v2 encryptor is an upgrade from its previous version, which includes additional functionalities due to the language it’s written in (Rust). Previous versions of the encryptor provided options to insert arguments at runtime, including:

• -p --encryption_path (targeted file/folder paths)
• -s --share_file (targeted network drive path)
• -n --encryption_percent (percentage of encryption)
• --fork (create a child process for encryption

The ability to insert additional threads allows Akira threat actors to have more granular control over the number of CPU cores in use, increasing the speed and efficiency of the encryption process. The new version also adds a layer of protection, utilizing the Build ID as a run condition to hinder dynamic analysis. The encryptor is unable to execute successfully without the unique Build ID. The ability to deploy against only virtual machines using “vmonly” and the ability to stop running virtual machines with “stopvm” functionalities have also been observed implemented for Akira_v2. After encryption, the Linux ESXi variant may include the file extension “akiranew” or add a ransom note named “akiranew.txt” in directories where files were encrypted with the new nomenclature.

MITRE ATT&CK® Mappings: Akira

Techniques Used

Table 1: Initial Access

Table 2: Credential Access

Table 3: Discovery

Table 4: Persistence

Table 5: Defense Evasion

Table 6: Command and Control

Table 7: Collection

Table 8: Exfiltration

Table 9: Impact

Conclusion

The Akira ransomware group has emerged as a formidable threat since its first appearance in March 2023, targeting over 250 organizations and amassing approximately $42 million in ransomware proceeds. Operating under a double-extortion model, Akira combines data encryption with the exfiltration of sensitive information, pressuring victims to pay by threatening public exposure. The group’s tactics involve leveraging compromised VPN credentials and known vulnerabilities in Cisco products to gain initial access, followed by network reconnaissance, privilege escalation, and data exfiltration using widely available tools such as AnyDesk, RClone and WinSCP.

The ransomware has evolved over time, initially written in C++ and later incorporating Rust-based code in the Megazord variant. This shift reflects the group’s commitment to enhancing encryption speed and resilience against detection. The targeting of diverse industries, including business services, Manufacturing, Technology, and critical infrastructure, highlights the widespread and indiscriminate nature of Akira’s operations.

To mitigate the threat posed by Akira ransomware, organizations are urged to strengthen their cybersecurity posture by implementing multi-factor authentication (MFA), securing VPN access, and maintaining regular data backups. The Akira group’s rapid adaptation to defensive measures underscores the need for continuous monitoring and proactive threat intelligence to stay ahead of this evolving threat landscape.