Akira Ransomware Analysis, Simulation and Mitigation- CISA Alert AA24-109A

On April 18, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Akira ransomware [1]. Akira ransomware is a relatively new ransomware group and yet they have several variants that are capable of encrypting Windows, Linux and VMware ESXi virtual machines. Akira also operates as a Ransomware-as-a-Service group and has impacted hundreds of organizations collecting over 42 million USD in ransom payments within a single year. 

In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Akira ransomware and how organizations can defend themselves against Akira ransomware attacks.

Akira Ransomware

Akira ransomware started its operations in March 2023 and has been actively targeting various businesses and critical infrastructure organizations in the United States, Canada, Australia, France, Germany, Italy, Spain, and other European countries. So far, they have compromised more than 250 organizations and continue to threaten many others with their Ransomware-as-a-Service operations. Akira has different ransomware variants named Akira, Megazord, and Akira_v2, and these variants are capable of encrypting Windows, Linux, and VMware ESXi systems.

Akira threat actors exploit known Cisco vulnerabilities like CVE-2020-3259 and CVE-2023-20269 to gain initial access to target networks. They also use phishing campaigns and compromised credentials against external-facing services such as Remote Desktop Protocol (RDP) for initial access. After establishing an initial foothold, adversaries create administrative accounts for persistent access and leverage credential dumping tools and techniques for privilege escalation and lateral movement. As a final impact, Akira threat actors exfiltrate sensitive data, delete volume shadow copies, and encrypt the files and directories in the infected systems.

In this blog, we explained TTPs used by the Akira ransomware group. If you are interested on how Akira ransomware exploits Cisco ASA zero-day vulnerability, please visit our previous blog post on "CVE-2023-20269: Akira Ransomware Exploits Cisco ASA Vulnerability".

Akira Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1078 Valid Accounts & T1133 External Remote Services

Akira threat actors obtain these credentials through brute force attacks or Initial Access Brokers (IABs). After acquiring credentials to valid accounts, adversaries use Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services to gain initial and persistent access to the target network.

T1190 Exploit Public Facing Applications

Adversaries exploit known Cisco vulnerabilities to gain access to target organizations. Although CVE-2023-20269 (CVSS Score: 9.1 Critical) and CVE-2020-3259 (CVSS Score: 7.5 High) are known vulnerabilities, Akira threat actors were able to gain initial access through unpatched Cisco ASA appliances.

T1566 Phishing

Akira operators use phishing emails with malicious links and attachments to gain initial access to target systems. Adversaries craft benign-looking emails to trick unsuspecting users into infecting their systems.

Execution

T1047 Windows Management Instrumentation 

Akira ransomware deletes volume shadow copies via Windows Management Instrumentation (WMI). This malicious action prevents victims from recovering their encrypted files using shadow copies.

T1059.001 Command and Scripting Interpreter: PowerShell

Adversaries use open-source Veeam-Get-Creds PowerShell scripts to obtain and decrypt accounts from Veeam servers. Akira operators also use Powershell Kerberos TicketDumper PowerShell script to dump Kerberos tickets from the LSA cache.

T1059.003 Command and Scripting Interpreter: Windows Command Shell 

Akira threat actors use the following shell commands for discovery after initial access.

Persistence

T1136.002 Create Account: Domain Account

Adversaries create new domain accounts to establish persistent access to compromised systems. In some cases, Akira operators were identified, creating an administrative account named itadm.

Defense Evasion

T1562.001 Impair Defenses: Disable or Modify Tools

Akira threat actors abuse the Zemana AntiMalware drive via PowerTool to disable antivirus software. This technique is also called Bring Your Own Vulnerable Driver (BYOVD).

Credential Access

T1003 OS Credential Dumping

Akira operators use popular credential dumping tools like Mimikatz and LaZagne to extract credentials stored in the LSASS memory. Adversaries use the following command to dump LSASS memory.

T1555.003 Credentials from Password Stores: Credentials from Web Browsers

Adversaries use the following commands to dump credentials stored in browsers used in the compromised systems. This malicious action uses the Living-off-the-Land techniques by abusing the “esentutl.exe” to copy locked files like credential stores.

Collection

T1560 Archive Collected Data

Prior to exfiltration for double extortion, Akira threat actors split the victims' sensitive data into segments and compress them using WinRAR.

Command and Control (C2)

T1090 Proxy

Adversaries use ngrok to create a secure tunnel to servers used for data exfiltration.

T1219 Remote Access Software 

Akira operators use remote desktop software like AnyDesk, Cloudflare Tunnel, MobaXterm, Ngrok, and RustDesk to access compromised systems remotely.

Exfiltration

T1048 Exfiltration Over Alternative Protocol & T1537 Transfer Data to Cloud Account

Akira threat actors use legitimate tools like FileZilla, WinSCP, and rclone to exfiltrate data through various protocols such as FTP, SFTP, and cloud services.

Impact

T1486 Data Encrypted for Impact 

Akira operators use various ransomware payloads to encrypt files in the compromised system. These payloads use a hybrid encryption that combines ChaCha20 stream cipher with an RSA public-key cryptosystem. Depending on the encryptor, the encrypted files are appended to with .akira, .powerranges, or .akiranew extensions.

T1490 Inhibit System Recovery 

Adversaries use the following commands to delete volume shadow copies and prevent their victims from recovering their encrypted files.

How Picus Helps Simulate Akira Ransomware Attacks?

We also strongly suggest simulating Akira ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Phobos, ALPHV, and Play, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Akira ransomware: 

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Akira ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Akira ransomware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Complete Security Validation Platform.

References

[1] “#StopRansomware: Akira Ransomware,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a. [Accessed: Apr. 20, 2024]