blog.cyble.com
Open in
urlscan Pro
192.0.78.213
Public Scan
URL:
https://blog.cyble.com/2023/05/10/unraveling-akira-ransomware/
Submission Tags: falconsandbox
Submission: On July 27 via api — Scanned from DE
Submission Tags: falconsandbox
Submission: On July 27 via api — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search " class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear-with-button" type="reset">
<i class="fas fa-times" aria-hidden="true"></i>
</button>
<button class="hfe-search-submit" type="submit">
<i class="fas fa-search" aria-hidden="true"></i>
</button>
</div>
</form>GET https://blog.cyble.com
<form class="hfe-search-button-wrapper" role="search" action="https://blog.cyble.com" method="get">
<div class="hfe-search-form__container" role="tablist">
<input placeholder="Search Our Blog" class="hfe-search-form__input" type="search" name="s" title="Search" value="">
<button id="clear" type="reset">
<i class="fas fa-times clearable__clear" aria-hidden="true"></i>
</button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
Search for your darkweb exposure
Main Menu
* Home
* About Us
* Products
* Cyble Vision
* AmiBreached
* Cyble Hawk
* Odin (Internet Scanning)
* The Cyber Express
* Newsroom
* Research Reports
* Careers
* Partner with us
* Request Demo
UNRAVELING AKIRA RANSOMWARE
* May 10, 2023
EMERGING RANSOMWARE STRAIN QUICKLY EXPANDING ITS LIST OF VICTIMS
Ransomware is a grave cybersecurity threat and is currently one of the most
effective cybercrimes causing organizational problems. It has proven to be
highly profitable for cybercriminals, resulting in severe consequences such as
financial loss, data loss, and damage to the reputation of the targeted
entities.
Over time, Cyble Research and Intelligence Labs (CRIL) has continuously examined
and shared information regarding the most dominant and active ransomware groups
while offering recommendations to prevent such incidents from occurring again.
Recently, CRIL came across a Reddit post about a new ransomware variant named
“Akira”, actively targeting numerous organizations and exposing their sensitive
data. To increase the chances of payment from victims, Akira ransomware
exfiltrates and encrypts their data using a double-extortion technique. The
attackers then threaten to sell or leak the stolen data on the dark web if the
ransom is not paid for decrypting the data.
Akira ransomware emerged in April 2023 and has already impacted over 15 publicly
disclosed victims, with the majority located in the United States. These victims
represent a variety of industries, such as BFSI, Construction, Education,
Healthcare, Manufacturing, and others.
Figure 1 – Akira Ransomware’s Victim Distribution
Multiple options on the Akira ransomware leak site’s homepage allow users to
access the most recent news, leaked data, and other functions, as shown in the
image below.
Figure 2 – Akira ransomware Leaksite
TECHNICAL ANALYSIS
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Unlock This Content
We have taken the below sample hash for this analysis:
(SHA256), 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c,
which is a console-based 64-bit executable written in Microsoft Visual C/C++
compiler, as shown below.
Figure 3 – File details
When the ransomware is executed, it uses the API function
GetLogicalDriveStrings() to obtain a list of the logical drives currently
available in the system, as shown in the figure below.
Figure 4 – GetLogicalDriveStringsW() API
Then, the malware drops a ransom note in multiple folders with the file name
“akira_readme.txt”. The contents of the ransom note are illustrated in the below
figure.
Figure 5 – Malware Writing Ransom Notes
After dropping the ransom note, the ransomware searches for files and
directories to encrypt by iterating through them using the API functions
FindFirstFileW() and FindNextFileW().
The ransomware excludes the below file extensions and file/folder names from
encryption.
File extensionFile namesFolder names.exe
.dll
.sys
.msi
.lnk
.akiraakira_readme.txt
Bootmgr
BOOTNXT
DumpStack.log.tmp
pagefile.sys swapfile.sys ntuser.dattmp
winnt
temp
thumb
$Recycle.Bin
$RECYCLE.BIN
System Volume
Information Boot
Windows Trend Micro
ProgramData
ENCRYPTION
The ransomware utilizes the “Microsoft Enhanced RSA and AES Cryptographic
Provider” libraries to encrypt the victim’s machine. The malware employs several
functions from CryptoAPI, including CryptAcquireContextW(),
CryptImportPublicKeyInfo(), CryptGenRandom(), and CryptEncrypt().
Figure 6 – Encryption
As mentioned earlier, Akira ransomware uses the RSA and AES encryption
algorithms, and it comes with a fixed hardcoded base64 encoded public key, as
shown below.
Figure 7 – RSA Public key
The malware renames the encrypted files with the “.akira” extension in the next
step.
The figure below shows the files encrypted by Akira ransomware after the
successful infection of a victim’s machine.
Figure 8 – Files encrypted by Akira Ransomware
Additionally, the ransomware utilizes a PowerShell command, shown in Figure 9,
to execute a WMI query that deletes the shadow copy, preventing system
restoration.
Figure 9 – PowerShell command to Delete Shadow copies
The dropped ransom note provides instructions to the victims on how they can get
in touch with the Akira Ransomware Gang to initiate negotiations for the ransom.
The operators responsible for the Akira ransomware often threaten their victims,
claiming to have exfiltrated a large amount of corporate data before encrypting
it. They also warn of their intention to sell personal information, trade
secrets, databases, and source codes on the dark web market.
Additionally, they threaten to expose the stolen information publicly through
their blog (accessible via an Onion site) if the ransom demand is not met.
Figure 10 – Ransom note
Figure 11 depicts an Onion site belonging to Akira ransomware, which requires a
code (mentioned in the ransom note) to initiate communication or request
assistance from the Threat Actor.
Figure 11 – Chat window
The Akira ransomware homepage features a ‘news’ command that reveals a
comprehensive list of 16 victim organizations targeted by the group as of May
5th. The stolen information is summarized for each organization and can be
viewed on the same page.
The corresponding figure is provided below.
Figure 12 – “news” command on the Akira ransomware leak site displays a list of
victims
On the Akira ransomware homepage, a command called ‘leaks’ provides a list of
organizations targeted by the group that did not pay the demanded ransom (5
victims as of now).
The leaked data associated with each organization is available for download and
includes the organization’s name and a brief description.
Figure 13 – Akira ransomware leak sites’ “leaks” command exhibits the data
leaked by victims
CONCLUSION
Akira ransomware is a newly discovered strain that has mainly affected victims
in the United States and Canada. This ransomware group actively targets
businesses and demands a significant amount of money in exchange for decryption
keys.
As organizations implement security measures to defend against ransomware
attacks, there is a corresponding rise in the number of new ransomware groups
emerging. These groups continuously adapt their strategies and expand their
operations to maximize profits.
Cyble Research & Intelligence Labs (CRIL) continuously monitors new ransomware
campaigns to keep our readers updated with our latest findings.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
* Conduct regular backup practices and keep those backups offline or in a
separate network.
* Turn on the automatic software update feature on your computer, mobile, and
other connected devices wherever possible and pragmatic.
* Use a reputed anti-virus and Internet security software package on your
connected devices, including PC, laptop, and mobile.
* Refrain from opening untrusted links and email attachments without verifying
their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
* Detach infected devices on the same network.
* Disconnect external storage devices if connected.
* Inspect system logs for suspicious events.
Impact of Akira Ransomware
* Loss of valuable data.
* Loss of the organization’s reputation and integrity.
* Loss of the organization’s sensitive business information.
* Disruption in organization operation.
* Financial loss.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Execution T1204
T1047
T1059User Execution
Windows Management Instrumentation
PowerShellDefense EvasionT1497
T1027Virtualization/Sandbox Evasion
Obfuscated Files or InformationDiscovery T1057
T1012
T1082
T1083Process Discovery
Query Registry
System Information Discovery
File and Directory DiscoveryImpact T1486
T1490 Data Encrypted for Impact
Inhibit System Recovery
INDICATORS OF COMPROMISE (IOCS)
IndicatorsIndicator TypeDescriptionc7ae7f5becb7cf94aa107ddc1caf4b03
923161f345ed3566707f9f878cc311bc6a0c5268
3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312cMD5
SHA1
SHA256Akira Ransomware
Exe
RECENT BLOGS
ALPHV RANSOMWARE DATA LEAK SITE EMBRACES API INTEGRATION
July 26, 2023
THREAT ACTOR TARGETING DEVELOPERS VIA TROJANIZED MS VISUAL STUDIO
July 25, 2023
FABRICATED MICROSOFT CRYPTO WALLET PHISHING SITE SPREADS INFOSTEALER
July 21, 2023
PrevPreviousSophisticated DarkWatchMan RAT Spreads Through Phishing Sites
NextDissecting Rancoz RansomwareNext
July 26, 2023
Cyble Research & Intelligence Labs delves into the release of an API by ALPHV
ransomware on their leak site.
Read More »
July 25, 2023
CRIL examines a Trojanized Visual Studio installer that deploys a Cookie Stealer
and utilizes Telegram for data exfiltration.
Read More »
July 21, 2023
Cyble Research and Intelligence Labs analyzes Threat Actors spreading Luca
Stealer disguised as a beta version of Microsoft Crypto Wallet.
Read More »
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Cyble is a global threat intelligence SaaS provider that helps enterprises
protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus
is to provide organizations with real-time visibility to their digital risk
footprint.
Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been
recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch
In 2020.
Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,
Dubai and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.
Offices:
We’re remote-friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Singapore, Jakarta, Sydney, and Melbourne.
UAE:
Cyble Middle East FZE
Suite 1702, Level 17,
Boulevard Plaza Tower 1,
Sheikh Mohammed Bin Rashid Boulevard,
Downtown Dubai, Dubai, UAE
contact@cyble.com
+971 (4) 4018555
USA :
Cyble, Inc.
11175 Cicero Drive
Suite 100
Alpharetta, GA 30022
contact@cyble.com
+1 678 379 3241
India:
Cyble Infosec India Private Limited
A 602, Rustomjee Central Park, Andheri Kurla Road Chakala,
Andheri (East), Maharashtra
Mumbai-400093, India
contact@cyble.com
+1 678 379 3241
Australia :
Cyble Pty Limited
Level 32, 367 Collins Street
Melbourne VIC 3000
Australia
contact@cyble.com
+61 3 9005 6934
Singapore:
Cyble Singapore Private Limited
38 North Canal Road, Singapore 059294
contact@cyble.com
+1 678 379 3241
© 2023. Cyble Inc. All Rights Reserved
Twitter Linkedin
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences