blog.cyble.com
Open in
urlscan Pro
192.0.78.213
Public Scan
URL:
https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/
Submission Tags: falconsandbox
Submission: On July 27 via api — Scanned from DE
Submission Tags: falconsandbox
Submission: On July 27 via api — Scanned from DE
Form analysis
3 forms found in the DOMGET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form>
<form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>
Text Content
Skip to content Search for your darkweb exposure Main Menu * Home * About Us * Products * Cyble Vision * AmiBreached * Cyble Hawk * Odin (Internet Scanning) * The Cyber Express * Newsroom * Research Reports * Careers * Partner with us * Request Demo UNRAVELING AKIRA RANSOMWARE * May 10, 2023 EMERGING RANSOMWARE STRAIN QUICKLY EXPANDING ITS LIST OF VICTIMS Ransomware is a grave cybersecurity threat and is currently one of the most effective cybercrimes causing organizational problems. It has proven to be highly profitable for cybercriminals, resulting in severe consequences such as financial loss, data loss, and damage to the reputation of the targeted entities. Over time, Cyble Research and Intelligence Labs (CRIL) has continuously examined and shared information regarding the most dominant and active ransomware groups while offering recommendations to prevent such incidents from occurring again. Recently, CRIL came across a Reddit post about a new ransomware variant named “Akira”, actively targeting numerous organizations and exposing their sensitive data. To increase the chances of payment from victims, Akira ransomware exfiltrates and encrypts their data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data. Akira ransomware emerged in April 2023 and has already impacted over 15 publicly disclosed victims, with the majority located in the United States. These victims represent a variety of industries, such as BFSI, Construction, Education, Healthcare, Manufacturing, and others. Figure 1 – Akira Ransomware’s Victim Distribution Multiple options on the Akira ransomware leak site’s homepage allow users to access the most recent news, leaked data, and other functions, as shown in the image below. Figure 2 – Akira ransomware Leaksite TECHNICAL ANALYSIS Technical Content! Subscribe to Unlock Sign up and get access to Cyble Research and Intelligence Labs' exclusive contents Email Unlock This Content We have taken the below sample hash for this analysis: (SHA256), 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c, which is a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, as shown below. Figure 3 – File details When the ransomware is executed, it uses the API function GetLogicalDriveStrings() to obtain a list of the logical drives currently available in the system, as shown in the figure below. Figure 4 – GetLogicalDriveStringsW() API Then, the malware drops a ransom note in multiple folders with the file name “akira_readme.txt”. The contents of the ransom note are illustrated in the below figure. Figure 5 – Malware Writing Ransom Notes After dropping the ransom note, the ransomware searches for files and directories to encrypt by iterating through them using the API functions FindFirstFileW() and FindNextFileW(). The ransomware excludes the below file extensions and file/folder names from encryption. File extensionFile namesFolder names.exe .dll .sys .msi .lnk .akiraakira_readme.txt Bootmgr BOOTNXT DumpStack.log.tmp pagefile.sys swapfile.sys ntuser.dattmp winnt temp thumb $Recycle.Bin $RECYCLE.BIN System Volume Information Boot Windows Trend Micro ProgramData ENCRYPTION The ransomware utilizes the “Microsoft Enhanced RSA and AES Cryptographic Provider” libraries to encrypt the victim’s machine. The malware employs several functions from CryptoAPI, including CryptAcquireContextW(), CryptImportPublicKeyInfo(), CryptGenRandom(), and CryptEncrypt(). Figure 6 – Encryption As mentioned earlier, Akira ransomware uses the RSA and AES encryption algorithms, and it comes with a fixed hardcoded base64 encoded public key, as shown below. Figure 7 – RSA Public key The malware renames the encrypted files with the “.akira” extension in the next step. The figure below shows the files encrypted by Akira ransomware after the successful infection of a victim’s machine. Figure 8 – Files encrypted by Akira Ransomware Additionally, the ransomware utilizes a PowerShell command, shown in Figure 9, to execute a WMI query that deletes the shadow copy, preventing system restoration. Figure 9 – PowerShell command to Delete Shadow copies The dropped ransom note provides instructions to the victims on how they can get in touch with the Akira Ransomware Gang to initiate negotiations for the ransom. The operators responsible for the Akira ransomware often threaten their victims, claiming to have exfiltrated a large amount of corporate data before encrypting it. They also warn of their intention to sell personal information, trade secrets, databases, and source codes on the dark web market. Additionally, they threaten to expose the stolen information publicly through their blog (accessible via an Onion site) if the ransom demand is not met. Figure 10 – Ransom note Figure 11 depicts an Onion site belonging to Akira ransomware, which requires a code (mentioned in the ransom note) to initiate communication or request assistance from the Threat Actor. Figure 11 – Chat window The Akira ransomware homepage features a ‘news’ command that reveals a comprehensive list of 16 victim organizations targeted by the group as of May 5th. The stolen information is summarized for each organization and can be viewed on the same page. The corresponding figure is provided below. Figure 12 – “news” command on the Akira ransomware leak site displays a list of victims On the Akira ransomware homepage, a command called ‘leaks’ provides a list of organizations targeted by the group that did not pay the demanded ransom (5 victims as of now). The leaked data associated with each organization is available for download and includes the organization’s name and a brief description. Figure 13 – Akira ransomware leak sites’ “leaks” command exhibits the data leaked by victims CONCLUSION Akira ransomware is a newly discovered strain that has mainly affected victims in the United States and Canada. This ransomware group actively targets businesses and demands a significant amount of money in exchange for decryption keys. As organizations implement security measures to defend against ransomware attacks, there is a corresponding rise in the number of new ransomware groups emerging. These groups continuously adapt their strategies and expand their operations to maximize profits. Cyble Research & Intelligence Labs (CRIL) continuously monitors new ransomware campaigns to keep our readers updated with our latest findings. OUR RECOMMENDATIONS We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: Safety Measures Needed to Prevent Ransomware Attacks * Conduct regular backup practices and keep those backups offline or in a separate network. * Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. * Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. * Refrain from opening untrusted links and email attachments without verifying their authenticity. Users Should Take the Following Steps After the Ransomware Attack * Detach infected devices on the same network. * Disconnect external storage devices if connected. * Inspect system logs for suspicious events. Impact of Akira Ransomware * Loss of valuable data. * Loss of the organization’s reputation and integrity. * Loss of the organization’s sensitive business information. * Disruption in organization operation. * Financial loss. MITRE ATT&CK® TECHNIQUES Tactic Technique ID Technique Name Execution T1204 T1047 T1059User Execution Windows Management Instrumentation PowerShellDefense EvasionT1497 T1027Virtualization/Sandbox Evasion Obfuscated Files or InformationDiscovery T1057 T1012 T1082 T1083Process Discovery Query Registry System Information Discovery File and Directory DiscoveryImpact T1486 T1490 Data Encrypted for Impact Inhibit System Recovery INDICATORS OF COMPROMISE (IOCS) IndicatorsIndicator TypeDescriptionc7ae7f5becb7cf94aa107ddc1caf4b03 923161f345ed3566707f9f878cc311bc6a0c5268 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312cMD5 SHA1 SHA256Akira Ransomware Exe RECENT BLOGS ALPHV RANSOMWARE DATA LEAK SITE EMBRACES API INTEGRATION July 26, 2023 THREAT ACTOR TARGETING DEVELOPERS VIA TROJANIZED MS VISUAL STUDIO July 25, 2023 FABRICATED MICROSOFT CRYPTO WALLET PHISHING SITE SPREADS INFOSTEALER July 21, 2023 PrevPreviousSophisticated DarkWatchMan RAT Spreads Through Phishing Sites NextDissecting Rancoz RansomwareNext July 26, 2023 Cyble Research & Intelligence Labs delves into the release of an API by ALPHV ransomware on their leak site. Read More » July 25, 2023 CRIL examines a Trojanized Visual Studio installer that deploys a Cookie Stealer and utilizes Telegram for data exfiltration. Read More » July 21, 2023 Cyble Research and Intelligence Labs analyzes Threat Actors spreading Luca Stealer disguised as a beta version of Microsoft Crypto Wallet. Read More » About Us Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com. Offices: We’re remote-friendly, with office locations around the world: San Francisco, Atlanta, Rome, Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne. UAE: Cyble Middle East FZE Suite 1702, Level 17, Boulevard Plaza Tower 1, Sheikh Mohammed Bin Rashid Boulevard, Downtown Dubai, Dubai, UAE contact@cyble.com +971 (4) 4018555 USA : Cyble, Inc. 11175 Cicero Drive Suite 100 Alpharetta, GA 30022 contact@cyble.com +1 678 379 3241 India: Cyble Infosec India Private Limited A 602, Rustomjee Central Park, Andheri Kurla Road Chakala, Andheri (East), Maharashtra Mumbai-400093, India contact@cyble.com +1 678 379 3241 Australia : Cyble Pty Limited Level 32, 367 Collins Street Melbourne VIC 3000 Australia contact@cyble.com +61 3 9005 6934 Singapore: Cyble Singapore Private Limited 38 North Canal Road, Singapore 059294 contact@cyble.com +1 678 379 3241 © 2023. Cyble Inc. All Rights Reserved Twitter Linkedin Scroll to Top Loading Comments... Write a Comment... Email Name Website We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok × We Value Your Privacy Settings NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar technologies on this site and use personal data (e.g., your IP address). If you consent, the cookies, device identifiers, or other information can be stored or accessed on your device for the purposes described below. You can click "Allow All" or "Decline All" or click Settings above to customize your consent. NextRoll and our advertising partners process personal data to: ● Store and/or access information on a device; ● Create a personalized content profile; ● Select personalised content; ● Personalized ads, ad measurement and audience insights; ● Product development. For some of the purposes above, our advertising partners: ● Use precise geolocation data. Some of our partners rely on their legitimate business interests to process personal data. View our advertising partners if you wish to provide or deny consent for specific partners, review the purposes each partner believes they have a legitimate interest for, and object to such processing. If you select Decline All, you will still be able to view content on this site and you will still receive advertising, but the advertising will not be tailored for you. You may change your setting whenever you see the Manage consent preferences on this site. Decline All Allow All Manage consent preferences