www.trendmicro.com Open in urlscan Pro
184.30.222.132  Public Scan

URL: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira
Submission: On December 21 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

<form class="main-menu-search" aria-label="Search Trend Micro" data-equally-id="equally_ai___ZSDrV">
  <div class="main-menu-search__field-wrapper" id="cludo-search-form">
    <table class="gsc-search-box">
      <tbody>
        <tr>
          <td class="gsc-input">
            <input type="text" class="gsc-input-field" name="search" title="search" placeholder="Search" autocomplete="off" aria-label="search">
          </td>
        </tr>
      </tbody>
    </table>
  </div>
</form>

Text Content

Business

search close

 * Solutions
   * By Challenge
       
     * By Challenge
         
       * By Challenge
         Learn more
         
     * Understand, Prioritize & Mitigate Risks
         
       * Understand, Prioritize & Mitigate Risks
         
         Improve your risk posture with attack surface management
         
         Learn more
         
     * Protect Cloud-Native Apps
         
       * Protect Cloud-Native Apps
         
         Security that enables business outcomes
         
         Learn more
         
     * Protect Your Hybrid World
         
       * Protect Your Hybrid, Multi-Cloud World
         
         Gain visibility and meet business needs with security
         
         Learn more
         
     * Securing Your Borderless Workforce
         
       * Securing Your Borderless Workforce
         
         Connect with confidence from anywhere, on any device
         
         Learn more
         
     * Eliminate Network Blind Spots
         
       * Eliminate Network Blind Spots
         
         Secure users and key operations throughout your environment
         
         Learn more
         
     * See More. Respond Faster.
         
       * See More. Respond Faster.
         
         Move faster than your adversaries with powerful purpose-built XDR,
         attack surface risk management, and zero trust capabilities
         
         Learn more
         
     * Extend Your Team
         
       * Extend Your Team. Respond to Threats Agilely
         
         Maximize effectiveness with proactive risk reduction and managed
         services
         
         Learn more
         
   * By Role
       
     * By Role
         
       * By Role
         Learn more
         
     * CISO
         
       * CISO
         
         Drive business value with measurable cybersecurity outcomes
         
         Learn more
         
     * SOC Manager
         
       * SOC Manager
         
         See more, act faster
         
         Learn more
         
     * Infrastructure Manager
         
       * Infrastructure Manager
         
         Evolve your security to mitigate threats quickly and effectively
         
         Learn more
         
     * Cloud Builder and Developer
         
       * Cloud Builder and Developer
         
         Ensure code runs only as intended
         
         Learn more
         
     * Cloud Security Ops
         
       * Cloud Security Ops
         
         Gain visibility and control with security designed for cloud
         environments
         
         Learn more
         
   * By Industry
       
     * By Industry
         
       * By Industry
         Learn more
         
     * Healthcare
         
       * Healthcare
         
         Protect patient data, devices, and networks while meeting regulations
         
         Learn more
         
     * Manufacturing
         
       * Manufacturing
         
         Protecting your factory environments – from traditional devices to
         state-of-the-art infrastructures
         
         Learn more
         
     * Oil & Gas
         
       * Oil & Gas
         
         ICS/OT Security for the oil and gas utility industry
         
         Learn more
         
     * Electric Utility
         
       * Electric Utility
         
         ICS/OT Security for the electric utility
         
         Learn more
         
     * Federal
         
       * Federal
         Learn more
         
     * Automotive
         
       * Automotive
         Learn more
         
     * 5G Networks
         
       * 5G Networks
         Learn more
         
 * Platform
   * Vision One Platform
       
     * Trend Vision One
       Our Unified Platform
       
       Bridge threat protection and cyber risk management
       
       Learn more
       
   * Attack Surface Management
       
     * Attack Surface Management
       
       Operationalize a zero trust strategy
       
       Learn more
       
   * XDR (Extended Detection & Response)
       
     * XDR (Extended Detection & Response)
       
       Stop adversaries faster with a broader perspective and better context to
       hunt, detect, investigate, and respond to threats from a single platform
       
       Learn more
       
   * Endpoint Security
       
     * Endpoint Security
         
       * Endpoint Security Overview
         
         Defend the endpoint through every stage of an attack
         
         Learn more
         
     * Workload Security
         
       * Workload Security
         
         Optimized prevention, detection, and response for endpoints, servers,
         and cloud workloads
         
         Learn more
         
     * Industrial Endpoint Security
         
       * Industrial Endpoint Security
         Learn more
         
   * Cloud Security
       
     * Cloud Security
         
       * Trend Cloud One
         Cloud Security Overview
         
         The most trusted cloud security platform for developers, security
         teams, and businesses
         
         Learn more
         
     * Cloud Security Posture Management
         
       * Cloud Security Posture Management
         
         Leverage complete visibility and rapid remediation
         
         Learn more
         
     * Container Security
         
       * Container Security
         
         Simplify security for your cloud-native applications with advanced
         container image scanning, policy-based admission control, and container
         runtime protection
         
         Learn more
         
     * File Storage Security
         
       * File Storage Security
         
         Security for cloud file/object storage services leveraging cloud-native
         application architectures
         
         Learn more
         
     * Network Security
         
       * Network Security
         
         Advanced cloud-native network security detection, protection, and cyber
         threat disruption for your single and multi-cloud environments.
         
         Learn more
         
     * Open Source Security
         
       * Open Source Security
         
         Visibility and monitoring of open source vulnerabilities for SecOps
         
         Learn more
         
     * Cloud Visibility
         
       * Cloud Visibility
         
         As your organization continues to move data and apps to the cloud and
         transform your IT infrastructure, mitigating risk without slowing down
         the business is critical.
         
         Learn more
         
   * Network Security
       
     * Network Security
         
       * Network Security Overview
         
         Expand the power of XDR with network detection and response
         
         Learn more
         
     * Network Intrusion Prevention (IPS)
         
       * Network Intrusion Prevention (IPS)
         
         Protect against known, unknown, and undisclosed vulnerabilities in your
         network
         
         Learn more
         
     * Breach Detection System (BDS)
         
       * Breach Detection System (BDS)
         
         Detect and respond to targeted attacks moving inbound, outbound, and
         laterally
         
         Learn more
         
     * Secure Service Edge (SSE)
         
       * Secure Service Edge (SSE)
         
         Redefine trust and secure digital transformation with continuous risk
         assessments
         
         Learn more
         
     * Industrial Network Security
         
       * Industrial Network Security
         Learn more
         
   * Email Security
       
     * Email Security
       
       Stop phishing, malware, ransomware, fraud, and targeted attacks from
       infiltrating your enterprise
       
       Learn more
       
   * Mobile Security
       
     * Mobile Security
       
       On-premises and cloud protection against malware, malicious applications,
       and other mobile threats
       
       Learn more
       
   * Threat Intelligence
       
     * Threat Intelligence
       
       Keep ahead of the latest threats and protect your critical data with
       ongoing threat prevention and analysis
       
       Learn more
       
   * Small & Midsized Business Security
       
     * Small & Midsized Business Security
       
       Stop threats with comprehensive, set-it-and-forget-it protection
       
       Learn more
       
   * All Products, Services and Trials
       
     * All Products, Services and Trials
       Learn more
       
 * Research
   * Research
       
     * Research
         
       * Research
         Learn more
         
     * About Our Research
         
       * About Our Research
         Learn more
         
     * Research, News, and Perspectives
         
       * Research, News, and Perspectives
         Learn more
         
     * Research and Analysis
         
       * Research and Analysis
         Learn more
         
     * Blog
         
       * Blog
         Learn more
         
     * Security News
         
       * Security News
         Learn more
         
     * Zero Day Initiatives (ZDI)
         
       * Zero Day Initiatives (ZDI)
         Learn more
         
 * Services
   * Our Services
       
     * Our Services
         
       * Our Services
         Learn more
         
     * Service Packages
         
       * Service Packages
         
         Augment security teams with 24/7/365 managed detection, response, and
         support
         
         Learn more
         
     * Managed XDR
         
       * Managed XDR
         
         Augment threat detection with expertly managed detection and response
         (MDR) for email, endpoints, servers, cloud workloads, and networks
         
         Learn more
         
     * Incident Response
         
       * Incident Response
         
         Our trusted experts are on call whether you're experiencing a breach or
         looking to proactively improve your IR plans
         
         Learn more
         
     * Support Services
         
       * Support Services
         Learn more
         
 * Partners
   * Channel Partners
       
     * Channel Partners
         
       * Channel Partner Overview
         
         Grow your business and protect your customers with the best-in-class
         complete, multilayered security
         
         Learn more
         
     * Managed Security Service Provider
         
       * Managed Security Service Provider
         
         Deliver modern security operations services with our industry-leading
         XDR
         
         Learn more
         
     * Managed Service Provider
         
       * Managed Service Provider
         
         Partner with a leading expert in cybersecurity, leverage proven
         solutions designed for MSPs
         
         Learn more
         
     * Cloud Service Provider
         
       * Cloud Service Provider
         
         Add market-leading security to your cloud service offerings – no matter
         which platform you use
         
         Learn more
         
     * Professional Services
         
       * Professional Services
         
         Increase revenue with industry-leading security
         
         Learn more
         
     * Resellers
         
       * Resellers
         
         Discover the possibilities
         
         Learn more
         
     * Marketplace
         
       * Marketplace
         Learn more
         
     * System Integrators
         
       * System Integrators
         Learn more
         
   * Alliance Partners
       
     * Alliance Partners
         
       * Alliance Overview
         
         We work with the best to help you optimize performance and value
         
         Learn more
         
     * Technology Alliance Partners
         
       * Technology Alliance Partners
         Learn more
         
     * Our Alliance Partners
         
       * Our Alliance Partners
         Learn more
         
   * Partner Tools
       
     * Partner Tools
         
       * Partner Tools
         Learn more
         
     * Partner Login
         
       * Partner Login
         Login
         
     * Education and Certification
         
       * Education and Certification
         Learn more
         
     * Partner Successes
         
       * Partner Successes
         Learn more
         
     * Distributors
         
       * Distributors
         Learn more
         
     * Find a Partner
         
       * Find a Partner
         Learn more
         
 * Company
   * Why Trend Micro
       
     * Why Trend Micro
         
       * Why Trend Micro
         Learn more
         
     * The Trend Micro Difference
         
       * The Trend Micro Difference
         Learn more
         
     * Customer Success Stories
         
       * Customer Success Stories
         Learn more
         
     * The Human Connection
         
       * The Human Connection
         Learn more
         
     * Industry Accolades
         
       * Industry Accolades
         Learn more
         
     * Strategic Alliances
         
       * Strategic Alliances
         Learn more
         
   * About Us
       
     * About Us
         
       * About Us
         Learn more
         
     * Trust Center
         
       * Trust Center
         Learn more
         
     * History
         
       * History
         Learn more
         
     * Diversity, Equity and Inclusion
         
       * Diversity, Equity and Inclusion
         Learn more
         
     * Corporate Social Responsibility
         
       * Corporate Social Responsibility
         Learn more
         
     * Leadership
         
       * Leadership
         Learn more
         
     * Security Experts
         
       * Security Experts
         Learn more
         
     * Internet Safety and Cybersecurity Education
         
       * Internet Safety and Cybersecurity Education
         Learn more
         
     * Legal
         
       * Legal
         Learn more
         
     * Investors
         
       * Investors
         Learn more
         
   * Connect with Us
       
     * Connect with Us
         
       * Connect with Us
         Learn more
         
     * Newsroom
         
       * Newsroom
         Learn more
         
     * Events
         
       * Events
         Learn more
         
     * Careers
         
       * Careers
         Learn more
         
     * Webinars
         
       * Webinars
         Learn more
         

Back

Back

Back

Back

 * Free Trials
 * Contact Us

Looking for home solutions?
Under Attack?

Support
 * Business Support Portal
 * Virus and Threat Help
 * Renewals and Registration
 * Education and Certification
 * Contact Support
 * Find a Support Partner

Resources
 * Cyber Risk Index/Assessment
 * CISO Resource Center
 * DevOps Resource Center
 * What Is?
 * Threat Encyclopedia
 * Cloud Health Assessment
 * Cyber Insurance
 * Glossary of Terms
 * Webinars

Log In
 * Support
 * Partner Portal
 * Cloud One
 * Product Activation and Management
 * Referral Affililate

Back

arrow_back
search



close
 * Security News
 * Ransomware Spotlight
 * Ransomware Spotlight: Akira


RANSOMWARE SPOTLIGHT: AKIRA

X






Akira


October 05, 2023
 * Email
 * Facebook
 * Twitter
 * Google+
 * Linkedin



By Trend Micro Research

This report spotlights Akira, a novel ransomware family with highly experienced
and skilled operators at its helm.

View infographic of "Ransomware Spotlight: Akira"

Akira is swiftly becoming one of the fastest-growing ransomware families thanks
to its use of double extortion tactics, a ransomware-as-a-service (RaaS)
distribution model, and unique payment options.

Based on a report that analyzed blockchain and source code data, the Akira
ransomware group appears to be affiliated with the now-defunct Conti ransomware
gang. Conti, one of the most notorious ransomware families in recent history, is
believed to be the descendant of yet another prolific ransomware family, the
highly targeted Ryuk ransomware.

As ransomware actors evolve their tactics, create more sophisticated ransomware
families, and cause financial and reputational harm to businesses, organizations
need to work on improving their cybersecurity posture to effectively thwart
complex threats. This report spotlights Akira, a novel ransomware family with
highly experienced and skilled operators at its helm.


WHAT ORGANIZATIONS NEED TO KNOW ABOUT AKIRA

Akira ransomware emerged in March 2023 and has been known to target companies
based in the US and Canada.

Its Tor leak site has a unique retro look that, according to a report from
Sophos, is reminiscent of “1980s green-screen consoles” that can be navigated by
typing specific commands.

Based on its code, it is completely different from the Akira ransomware family
that was active in 2017, even though they both append encrypted files with the
same .akira extension.

As previously mentioned, Akira operators are associated with Conti ransomware
actors, which explains code similarities in both ransomware families. In July,
the Arctic Wolf Labs Team reported that Akira shared code similarities with the
Conti ransomware. However, they also noted that when Conti’s source code was
leaked, different malicious actors used it to create or tweak their own
ransomware code, which makes it even more challenging to trace back ransomware
families to Conti operators.

Based on our own analysis, Akira appears to be based on the Conti ransomware: It
shares similar routines with Conti, such as string obfuscation and file
encryption, and avoids the same file extensions that Conti avoids. We believe
that Akira operators’ main motivation for targeting organizations is financial
in nature.

The Akira RaaS group performs double extortion tactics and steals victims’
critical data prior to encrypting devices and files. Interestingly, according to
reports, Akira operators provide victims the option to pay for either file
decryption or data deletion; they don’t force victims into paying for both.
According to reports, ransom demands for Akira typically range from US$200,000
to over US$4 million.

On Sept. 12, 2023, the U.S. Department of Health and Human Services Health
Sector Cybersecurity Coordination Center (HC3) released a security bulletin
alerting the healthcare industry of Akira attacks.


RECENT ACTIVITIES

In June 2023, just three months after Akira was discovered, Akira expanded its
list of targeted systems to include Linux machines. Malware analyst rivitna
shared on X that Akira ransomware actors used a Linux encryptor and targeted
VMware ESXi virtual machines.

Meanwhile, in August, incident responder Aura reported that Akira was targeting
Cisco VPN accounts that didn’t have multifactor authentication (MFA).

Cisco released a security advisory on Sept. 6, 2023, stating that Akira
ransomware operators exploited CVE-2023-20269, a zero-day vulnerability in two
of their products’ remote access VPN feature: the Cisco Adaptive Security
Appliance (ASA) software and Cisco Firepower Thread Defense (FTD) software.

Cisco reported that malicious actors who exploit CVE-2023-20269 can identify
valid credentials that could be abused to establish unauthorized remote access
VPN sessions, and for victims running Cisco ASA Software Release 9.16 or
earlier, establish a clientless SSL VPN session.

Recently, Sentinel One released a video analyzing an Akira ransomware variant
named Megazord that emerged in August 2023. This variant appears to be
referencing a Power Rangers formation because it encrypts files with the
“POWERRANGES” file extension. The ransom note, which is named “powerranges.txt,”
instructs victims to contact the ransomware actor via TOX messenger.


TOP AFFECTED INDUSTRIES AND COUNTRIES

Because Akira is new and highly targeted, the number of attacks is not as
substantial as other more established and widely used ransomware families. Our
Trend Micro™ Smart Protection Network™ telemetry points to France as having been
most hit by Akira from May 1, 2023, to Aug. 31, 2023, with 53.1% of all
detections. The United States and Turkey take the second and third spots,
respectively, with 107 and 22 detections.

Figure 1. Countries with the highest number of attack attempts per machine for
the Akira ransomware (May 1, 2023, to Aug. 31, 2023)
Source: Trend Micro Smart Protection Network infrastructure




Based on our data, most of Akira’s victims belong to unspecified industries.
Based on reports, approximately 80% of Akira’s victims are small to medium-sized
businesses (SMBs). The materials, manufacturing, and financial sectors made the
top five list in the three-month span.

Figure 2. Industries with the highest number of attack attempts per machine for
the Akira ransomware (May 1, 2023, to Aug. 31, 2023)
Source: Trend Micro Smart Protection Network infrastructure




Akira’s monthly detections showed a surge in June 2023 with 508 attack attempts,
which is significantly higher than the other months in our analysis period. Our
lowest detections were for May 2023, with only three attack attempts for the
entire month.

Figure 3. Monthly breakdown of detections per machine for the Akira ransomware
(May 1, 2023, to Aug. 31, 2023)
Source: Trend Micro Smart Protection Network infrastructure


TARGETED REGIONS AND INDUSTRIES
ACCORDING TO AKIRA'S RANSOMWARE LEAK SITE

We now focus on Akira ransomware operators’ leak site data, which provides
details on organizations that have been targeted by Akira actors.

This data, which is a consolidation of Trend Micro’s open-source intelligence
(OSINT) research and investigation of the leak site, shows that Akira ransomware
actors compromised 107 organizations between April 1 to August 31, 2023. Most of
Akira victims — specifically, 85.9% of them — were businesses based in North
America.



Figure 4. The distribution by region of Akira ransomware’s victim organizations
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April
2023 – August 2023)

Figure 5. The 10 countries most targeted by the Akira ransomware group
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April
2023 – August 2023)




We’ve found that most of Akira’s victims were small-sized businesses, with 1 to
200 employees, at 59 victims. Meanwhile, midsized businesses and large
enterprises took the second and third slots, respectively. Interestingly, based
on leak site data, the most targeted sectors are the academe and professional
services, followed closely by construction and materials.



Figure 6. The distribution by organization size of Akira ransomware’s victim
organizations
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April
2023 – August 2023)

Figure 7. The 10 industries most targeted by Akira ransomware threat actors
Sources: Akira ransomware’s leak site and Trend Micro’s OSINT research (April
2023 – August 2023)


INFECTION CHAIN AND TECHNIQUES

The Akira ransomware typically gains access to victim environments by using
valid credentials that were possibly obtained from their affiliates or other
attacks. It has been observed using third-party tools such as PCHunter, AdFind,
PowerTool, Terminator, Advanced IP Scanner, Windows Remote Desktop Protocol
(RDP), AnyDesk, Radmin, WinRAR, and Cloudflare’s tunneling tool. Figure 8 shows
Akira’s infection chain.



Figure 8. The typical Akira ransomware infection chain



Figure 9. The Akira ransomware infection chain based on an infection case we’ve
analyzed




INITIAL ACCESS

Akira ransomware actors are known to use compromised VPN credentials to gain
initial access. They’ve also been observed targeting vulnerable Cisco VPNs by
exploiting CVE-2023-20269, a zero-day vulnerability that affects Cisco ASA and
FTD.




PERSISTENCE

Akira operators have been observed creating a new domain account on the
compromised system to establish persistence.




DEFENSE EVASION

For its defense evasion, Akira ransomware actors have been observed using
PowerTool or a KillAV tool that abuses the Zemana AntiMalware driver to
terminate AV-related processes.




DISCOVERY

The actors behind the Akira ransomware have been observed using the following to
gain knowledge on the victim's system and its connected network:

 * PCHunter and SharpHound to gather system information
 * AdFind alongside the net Windows command and nltest to obtain domain
   information
 * Advanced IP Scanner and MASSCAN to discover other remote systems




CREDENTIAL ACCESS

Akira ransomware operators use Mimikatz, LaZagne, or a specific command line to
gather credentials.




LATERAL MOVEMENT

Akira actors use Windows RDP to move laterally within the victim's network.




COMMAND AND CONTROL

Akira ransomware operators have been observed using the third-party tool and web
service RClone to exfiltrate stolen information. Moreover, they have also been
observed using either FileZilla or WinSCP to exfiltrate stolen information via
File Transfer Protocol (FTP).

 * AnyDesk
 * Radmin
 * Cloudflare Tunnel
 * MobaXterm
 * RustDesk
 * Ngrok




EXFILTRATION

Akira ransomware operators have been observed using the third-party tool and web
service RClone to exfiltrate stolen information. Moreover, they have also been
observed using either FileZilla or WinSCP to exfiltrate stolen information via
File Transfer Protocol (FTP).




IMPACT

Akira ransomware encrypts targeted systems using a hybrid encryption algorithm
that combines Chacha20 and RSA. Additionally, the Akira ransomware binary, like
most modern ransomware binaries, has a feature that allows it to inhibit system
recovery by deleting shadow copies from the affected system.




OTHER TECHNICAL DETAILS

 * It avoids encrypting the following directories:
    * winnt
    * tmp
    * temp
    * thumb
    * $Recycle.Bin
    * $RECYCLE.BIN
    * System Volume Information
    * Boot
    * Windows
    * Trend Micro
    * ProgramData

 * It avoids encrypting files with the following extensions:
    * .exe
    * .dll
    * .lnk
    * .sys
    * .msi
    * .akira

 * It encrypts the whole file, regardless of size, if the file extension is any
   of the following:
    * .4dd
    * .4dl
    * .accdb
    * .accdc
    * .accde
    * .accdr
    * .accdt
    * .accft
    * .adb
    * .ade
    * .adf
    * .adp
    * .arc
    * .ora
    * .alf
    * .ask
    * .btr
    * .bdf
    * .cat
    * .cdb
    * .ckp
    * .cma
    * .cpd
    * .dacpac
    * .dad
    * .dadiagrams
    * .daschema
    * .db
    * .db-shm
    * .db-wal
    * .db3
    * .dbc
    * .dbf
    * .dbs
    * .dbt
    * .dbv
    * .dbx
    * .dcb
    * .dct
    * .dcx
    * ddl
    * .dlis
    * .dp1
    * .dqy
    * .dsk
    * .dsn
    * .dtsx
    * .dxl
    * .eco
    * .ecx
    * .edb
    * .epim
    * .exb
    * .fcd
    * .fdb
    * .fic
    * .fmp
    * .fmp12
    * .fmpsl
    * .fol
    * .fol
    * .fp4
    * .fp5
    * .fp7
    * .fpt
    * .frm
    * .gdb
    * .grdb
    * .gwi
    * .hdb
    * .his
    * .ib
    * .idb
    * .ihx
    * .itdb
    * .itw
    * .jet
    * .jtx
    * .kdb
    * .kexi
    * .kexic
    * .kexis
    * .lgc
    * .lwx
    * .maf
    * .maq
    * .mar
    * .mas
    * .mav
    * .mdb
    * .mdf
    * .mpd
    * .mrg
    * .mud
    * .mwb
    * .myd
    * .ndf
    * .nnt
    * .nrmlib
    * .ns2
    * .ns3
    * .ns4
    * .nsf
    * .nv
    * .nv2
    * .nwdb
    * .nyf
    * .odb
    * .oqy
    * .orx
    * .owc
    * .p96
    * .p97
    * .pan
    * .pdb
    * .pdm
    * .pnz
    * .qry
    * .qvd
    * .rbf
    * .rctd
    * .rod
    * .rodx
    * .rpd
    * .rsd
    * .sas7bdat
    * .sbf
    * .scx
    * .sdb
    * .sdc
    * .sdf
    * .sis
    * .spq
    * .sql
    * .sqlite
    * .sqlite3
    * .sqlitedb
    * .te
    * .temx
    * .tmd
    * .tps
    * .trc
    * .trm
    * .udb
    * .udl
    * .usr
    * .v12
    * .vis
    * .vpd
    * .vvv
    * .wdb
    * .wmdb
    * .wrk
    * .xdb
    * .xld
    * .xmlff
    * .abcddb
    * .abs
    * .abx
    * .accdw
    * .adn
    * .db2
    * .fm5
    * .hjt
    * .icg
    * .icr
    * kdb
    * .lut
    * .maw
    * .mdn
    * .mdt

 * It avoids encrypting files with the following extensions:
    * .PLAY
    * .exe
    * .msi
    * .dll
    * .lnk
    * .sys

 * It drops a ransom note:
   
   
   
   akira_readme.txt

 * It encrypts files using Chacha20 and encrypts the key using RSA encryption.
    * Key generation:
      * A ChaCha20 key and nonce are generated using CryptGenRandom
    * Key encryption:
      * It uses the embedded RSA public key to encrypt the generated Chacha20
        key
    * File encryption
      * Files are encrypted using ChaCha20 encryption.
      * The Akira ransomware supports three encryption modes depending on the
        file type and size:
        * Full encryption
        * Partial encryption
        * Spot encryption

 * It appends this extension to encrypted files:
    * .akira

 * Hacktools
    * PowerTool
    * ADFind


MITRE TACTICS AND TECHNIQUES

Initial AccessPersistenceExecutionDefense EvasionCredential
AccessDiscoveryCommand and ControlLateral MovementExfiltrationImpact

T1078 - Valid Accounts
Uses compromised VPN credentialsl

T1190 - Exploit Public-Facing Application
Targets vulnerable Cisco devices via CVE-2023-20269

T1136.002 - Create Account: Domain Account
Once initial access is established, Akira operators will create a domain account
on the compromised system

T1059 - Command and Scripting Interpreters
Accepts parameters for its routines such as “-n 10” (for encryption percent) or
“-s {filename}” (for shared folder encryption)

T1562.001 - Impair Defenses: Disable or Modify Tools
It has been observed to use PowerTool or a KillAV tool that abuses Zemana
AntiMalware driver to terminate AV-related processes

T1003.001 - OS Credential Dumping: LSASS Memory
Uses Mimikatz, LaZagne, or a command line to dump LSASS from memory

T1082 - System Information Discovery
Uses PCHunter and SharpHound to gather system information

T1069.002 - Permission Groups Discovery: Domain Groups
Uses AdFind, net Windows command, and nltest to gather domain information

T1018 - Remote System Discovery
Uses Advanced IP Scanner and MASSCAN to discover remote systems

T1219 - Remote Access Software
May use either AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk, or Ngrok
to gain remote access on targeted systems

T1570 - Lateral Tool Transfer
Uses RDP to move laterally within the victim’s network

T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
Uses RClone to exfiltrate stolen information over web service

T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over
Unencrypted Non-C2 Protocol
Uses FileZilla or WinSCP to exfiltrate stolen information via FTP

T1490 - Inhibit System Recovery
Deletes shadow copies to inhibit recovery

T1486 - Data Encrypted for Impact
Akira ransomware is used to encrypt files


SUMMARY OF MALWARE, TOOLS, AND EXPLOITS USED

Initial AccessDefense EvasionDiscoveryCredential AccessCommand and
ControlLateral MovementExfiltration
 * VPN via compromised accounts

 * PowerTool

 * AdFind

 * Mimikatz

 * AnyDesk

 * RDP

 * WinSCP

 * CVE-2023-20269

 * KillAV (Terminator from GitHub)

 * PCHunter

 * LaZagne

 * Radmin

 * Rclone

 * Advanced IP Scanner

 * LSASS dump

 * Cloudflare Tunnel

 * FileZilla

 * SharpHound

 * MobaXterm

 * MASSCAN

 * RustDesk

 * ngrok





SECURITY RECOMMENDATIONS

<

As experienced ransomware actors develop increasingly sophisticated ransomware
families, organizations need to proactively protect themselves from evolving
threats. As ransomware threats evolve and exploit vulnerabilities to target
businesses around the world, organizations need to improve their security
posture to avoid financial and reputational harm.

Here are some security best practices that can help organizations protect their
mission-critical data from ransomware attacks:




AUDIT AND INVENTORY

 * Take an inventory of assets and data.
 * Identify authorized and unauthorized devices and software.
 * Make an audit of event and incident logs.




CONFIGURE AND MONITOR

 * Manage hardware and software configurations.
 * Grant admin privileges and access only when necessary to an employee’s role.
 * Monitor network ports, protocols, and services.
 * Activate security configurations on network infrastructure devices such as
   firewalls and routers.
 * Establish a software allowlist that executes only legitimate applications.




PATCH AND UPDATE

 * Conduct regular vulnerability assessments.
 * Perform patching or virtual patching for operating systems and applications.
 * Update software and applications to their latest versions.




PROTECT AND RECOVER

 * Implement data protection, backup, and recovery measures.
 * Enable multifactor authentication (MFA).




SECURE AND DEFEND

 * Employ sandbox analysis to block malicious emails.
 * Deploy the latest versions of security solutions to all layers of the system,
   including email, endpoint, web, and network.
 * Detect early signs of an attack such as the presence of suspicious tools in
   the system.
 * Use advanced detection technologies such as those powered by artificial
   intelligence (AI) and machine learning.




TRAIN AND TEST

 * Regularly train and assess employees in security skills.
 * Conduct red-team exercises and penetration tests.

A multilayered approach can help organizations guard possible entry points into
the system (endpoint, email, web, and network). Security solutions that can
detect malicious components and suspicious behavior can also help protect
enterprises.

 * Trend Micro Vision One™ provides multilayered protection and behavior
   detection, which helps block questionable behavior and tools early on before
   the ransomware can do irreversible damage to the system.
 * Trend Micro Cloud One™ Workload Security protects systems against both known
   and unknown threats that exploit vulnerabilities. This protection is made
   possible through techniques such as virtual patching and machine learning.
 * Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and
   advanced analysis techniques to effectively block malicious emails, including
   phishing emails that can serve as entry points for ransomware.
 * Trend Micro Apex One™ offers next-level automated threat detection and
   response against advanced concerns such as fileless threats and ransomware,
   ensuring the protection of endpoints.


INDICATORS OF COMPROMISE (IOCS)

The IOCs for this article can be found here. Actual indicators might vary per
attack.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to
copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Ransomware Spotlight, Ransomware


RELATED POSTS

 * Trend Micro Security Predictions for 2024: Critical Scalability
 * Ransomware Spotlight: Trigona
 * LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
 * Stepping Ahead of Risk: Trend Micro 2023 Midyear Cybersecurity Threat Report
 * Ransomware Spotlight: Royal


RECENT POSTS

 * Threat Modeling API Gateways: A New Target for Threat Actors?
 * Rising Security Weaknesses in the Automotive Industry and What It Can Do on
   the Road Ahead
 * Trend Micro Security Predictions for 2024: Critical Scalability
 * Ransomware Spotlight: Trigona
 * Steering Clear of Security Blind Spots: What SOCs Need to Know


WE RECOMMEND

 * Internet of Things
 * Virtualization & Cloud
 * Ransomware
 * Securing Home Routers

 * MQTT and M2M: Do You Know Who Owns Your Machine’s Data?
    * Addressing CAPTCHA-Evading Phishing Threats With Behavior-Based AI
      Protection
    * A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to
      Plague Private 5G Networks

 * Understanding the Kubernetes Security Triad: Image Scanning, Admission
   Controllers, and Runtime Security
    * Mining Through Mountains of Information and Risk: Containers and Exposed
      Container Registries
    * Exposed Container Registries: A Potential Vector for Supply-Chain Attacks

 * Trend Micro Security Predictions for 2024: Critical Scalability
    * Ransomware Spotlight: Trigona
    * Ransomware Spotlight: Akira

 * Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users,
   Research Finds
    * Mirai Variant Spotted Using Multiple Exploits, Targets Various Routers
    * A Look Into the Most Noteworthy Home Network Security Threats of 2017

CRITICAL SCALABILITY: TREND MICRO SECURITY PREDICTIONS FOR 2024

2024 is poised to be a hotbed for new challenges in cybersecurity as the
economic and political terrains continue to undergo digitization and enterprises
increasingly leverage artificial intelligence and machine learning (AI/ML), the
cloud, and Web3 technologies.
View the 2024 Trend Micro Security Predictions

TREND MICRO 2023 MIDYEAR CYBERSECURITY THREAT REPORT

We look at the major events in the first half of 2023 and draw a picture of the
threat landscape from behaviors and patterns observed in the threat landscape to
stay ahead and prepare for risks in the second half of the year.
View the report

Try our services free for 30 days

 * Start your free trial today

 * 
 * 
 * 
 * 
 * 


RESOURCES

 * Blog
 * Newsroom
 * Threat Reports
 * DevOps Resource Center
 * CISO Resource Center
 * Find a Partner


SUPPORT

 * Business Support Portal
 * Contact Us
 * Downloads
 * Free Trials
 * 
 * 


ABOUT TREND

 * About Us
 * Careers
 * Locations
 * Upcoming Events
 * Trust Center
 * 

Select a country / region

United States ❯

THE AMERICAS

 * United States
 * Brasil
 * Canada
 * México

MIDDLE EAST & AFRICA

 * South Africa
 * Middle East and North Africa

EUROPE

 * België (Belgium)
 * Česká Republika
 * Danmark
 * Deutschland, Österreich Schweiz
 * España
 * France
 * Ireland
 * Italia
 * Nederland
 * Norge (Norway)
 * Polska (Poland)
 * Suomi (Finland)
 * Sverige (Sweden)
 * Türkiye (Turkey)
 * United Kingdom

ASIA & PACIFIC

 * Australia
 * Центральная Азия (Central Asia)
 * Hong Kong (English)
 * 香港 (中文) (Hong Kong)
 * भारत गणराज्य (India)
 * Indonesia
 * 日本 (Japan)
 * 대한민국 (South Korea)
 * Malaysia
 * Монголия (Mongolia) and рузия (Georgia)
 * New Zealand
 * Philippines
 * Singapore
 * 台灣 (Taiwan)
 * ประเทศไทย (Thailand)
 * Việt Nam

Privacy | Legal | Accessibility | Site map

Copyright ©2023 Trend Micro Incorporated. All rights reserved


word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word

mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1