Author:
Marcus Knowles
Jr. CIRT Analyst
In the rapidly evolving landscape of cybersecurity, ransomware attacks have emerged as one of the most pervasive and damaging threats to businesses worldwide. Among the myriad ransomware families, one name has been making headlines – Akira. Understanding the origins, evolution, and tactics employed by Akira is crucial in the fight against this potent digital adversary.
Ransomware families reported in 2021.
- Ryuk
- SamSam
- Cerber
- GandCrab
- CryptoJoker
I. Akira’s Genesis and Evolution
Akira made its debut in March 2023, swiftly targeting companies based in the U.S. and Canada. Based on a report that analyzed blockchain and source code data, the Akira ransomware group appears to be affiliated with the now-defunct Conti ransomware “gang” (Trend Micros). Conti, one of the most notorious ransomware families in recent history, is believed to be the descendant of yet another prolific ransomware family, the highly targeted Ryuk ransomware. Based on its code, it is completely different from the Akira ransomware family that was active in 2017, even though they both append encrypted files with the same “.akira” extension.
Intriguingly, Akira’s evolution has been marked by adaptability. Minor variants that surfaced in May and June of 2023 demonstrated the malware’s ability to change its tactics. One variant appended files with a “.iqoj” extension, while another used “.zhq,” leading victims to Akira’s Tor site. Additionally, there are indications that Akira might be undergoing a transformation, with a Rust-based variant named Megazord surfacing in August 2023, suggesting a potential shift in programming strategy.
II. Technical Insights into Akira
Akira’s potency lies in its unique attributes. It utilises double extortion tactics and operates on a Ransomware as a Service (RaaS) model, providing cybercriminals with a lucrative means to carry out attacks. Its ransom demands, ranging from hundreds of thousands to millions of dollars, reflect the gravity of the threat it poses. Furthermore, Akira’s operators offer victims the option to pay for either file decryption or data deletion, distinguishing it from other ransomware families.
Ransom Payments from 2018-2023 (BackBlaze)
The Sophos State of Ransomware 2023 report, a survey of 3,000 IT decision–makers from mid-sized organisations in 14 countries, found the average ransom payment was $1.54 million. This is almost double the 2022 figure of $812,380 and almost ten times the 2020 average of $170,404. Coveware, a security consulting firm, found that the average ransom payment for Q2 2023 was $740,144, also representing a big spike over previous quarters. While the specific numbers vary depending on sampling, both reports point to ransoms going up and up.
Mitre ATT&CK Framework
The Mitre ATT&CK provides a comprehensive list of tactics and techniques used by adversaries to compromise networks. The framework is divided into two main categories: Enterprise and Mobile. This section focuses on the Enterprise category, which consists of ten tactics.
- Initial Access: Valid Accounts—Kiara operators use compromised VPN credentials and/or vulnerable Cisco devices via CVE-2023-20269
- Persistence: Create Account: Domain Account – Once initial access is established, Akira operators will create a domain account on the compromised system
- Execution: Command and Scripting Interpreters – Accepts parameters for its routines such as “-n 10” (for encryption per cent) or “-s {filename}” (for shared folder encryption
- Defence Evasion: Impair Defences: Disable or Modify Tools; it has been observed to use PowerTool or a KillAV tool that abuses the Zemana AntiMalware driver to terminate AV-related processes
- Credential Access: OS Credential Dumping: LSASS Memory – Uses Mimikatz, LaZagne, or a command line to dump LSASS from memory.
- Discovery:
- System Information Discovery uses PCHunter and SharpHound to gather system information.
- Permission Groups Discovery: Domain Groups Uses AdFind, net Windows command, and nltest to gather domain information
- Remote System Discovery uses Advanced IP Scanner and MASSCAN to discover remote systems.
- Command and Control: Techniques Remote Access Software – May use either AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk, or Ngrok to gain remote access on targeted systems
- Lateral Movement: Lateral Tool Transfer – Uses RDP to move laterally within the victim’s network
- Exfiltration
- Exfiltration Over Web Service: Exfiltration to Cloud Storage -Uses RClone to exfiltrate stolen information over web service
- Exfiltration Over Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol – Uses FileZilla or WinSCP to exfiltrate stolen information via FTP
- Impact – Inhibit System Recovery – Deletes shadow copies to inhibit recovery
- Data Encrypted for Impact – Akira ransomware is used to encrypt files and sold on the dark web.
III. The Ransomware Landscape: Trends and Challenges
Ransomware as a Service is growing (RaaS). Hackers created RaaS tools, helping them make more profit as other hackers carry out widespread ransomware attacks. Akira ransomware utilises RSA-2048 and CHACHA 20 encryption algorithms, making it extremely difficult to crack. According to recent reports, ransomware demands saw a 144% increase in 2021, with the ransomware payouts averaging more than $6 million for victims in the U.S.
- Ransomware attacks increased by 105% in 2021 (SonicWall, 2022).
- Ransomware attacks saw a 13% increase over the past five years (Bright Talk).
- 80% of previous ransomware targets got hit with a second ransomware attack (Cybereason, 2022).
- 68% of previous ransomware targets saw a second attack within the first month for a higher ransom (Cybereason, 2022).
- There was an 82% increase in ransomware-related data leaks in 2021 (CrowdStrike, 2022).
- As of late 2022, data theft occurred in an average of 70% of ransomware cases (Palo Alto Networks Unit 42).
(As Provided by Corvus Insurance)
The cybersecurity landscape has witnessed the rise of active ransomware families such as LockBit, Clop, and BlackCat. Compounding the challenge is the growth of Ransomware as a Service (RaaS), a subscription-based model allowing hackers to exploit vulnerable systems effortlessly. Shocking statistics underline the gravity of the situation: ransomware attacks increased by 105% in 2021, with victims in the U.S. facing demands averaging over $6 million.
IV. Strategies for Defence and Prevention
- Educate Employees:
Employees should be educated about the risks of ransomware, how to identify and avoid phishing emails, malicious attachments, and other threats. They should report suspicious emails or attachments and avoid opening them or clicking on links or buttons within them. - Implement Strong Passwords:
Organisations should enforce strong, unique passwords for all user accounts. Passwords should be at least eight characters long and include a mix of uppercase and lowercase letters, numbers, and special characters. Regularly updating and rotating passwords is essential. - Enable Multi-factor Authentication:
Multi-factor authentication (MFA) should be enabled for all user accounts. This can be done through mobile apps, like Google Authenticator or Microsoft Authenticator, or by using physical tokens or smart cards. - Update and Patch Systems:
Regularly updating and patching systems is crucial to fixing known vulnerabilities. This includes the operating system, applications, and firmware on all devices. Unnecessary or unused services or protocols should be disabled. - Implement Backup and Disaster Recovery:
Organisations should establish regular backup and disaster recovery (BDR) processes. This involves creating backups of all data and systems and storing them securely offsite. Regular testing of backups ensures they can be restored quickly.
Reinfection:
When ransomware actors attack businesses today, they leave behind artefacts and reconfigurations that many security programs cannot or will not detect as suspicious. Even after mitigating a ransomware attack, hidden doors may remain unnoticed, enabling threat actors to reactivate dormant artefacts or use access that was previously attained through stolen credentials, backdoors, or reconfigurations. This is the essence of ransomware reinfection: It’s essentially a problem with remediation.
Ways to Avoid Ransomware Reinfection
While a numbered list could never replace our remediation experts, there are a few tried-and-true, high-level actions that resource-constrained IT teams can take to help protect against ransomware attacks, whether it is the first or sixth time getting hit.
Turn on real-time monitoring and logging to stay up-to-date on suspicious activity within your networks and devices. The alerts may be overwhelming, but it’s important to at least be aware of them. If a security incident does take place, retain critical log data for at least one year.
Audit access privileges on a regular basis, especially for anyone with administrator permissions. Remove any unknown admins immediately.
Deploy two-factor authentication (2FA) or multi-factor authentication (MFA) for everyone in the organisation, especially remote workers using VPNs, to stop attackers from using stolen passwords or brute forcing their way in. In most cases, cybercriminals are stopped by the second authentication request.
Update all software regularly and as soon as patches are released to plug any vulnerabilities. Turn on automatic updates, if possible.
Do not rely solely on automated software to resolve security incidents and attacks. Ensure any access points, security configurations, and IT admin programs are clear before closing the case.
Back–up data: Once you’ve confirmed all systems are clean, backup copies of data from endpoints and preserve them offline in another physical location. According to Sophos’ 2023 ransomware report, 45 per cent of businesses that used physical backups were able to fully recover from a ransomware attack in a week vs. one to six months.
Take employees on a cybersecurity journey, showing them how important their role is to the safety of the organisation. This can be done through training, shadowing, inviting staff to security meetings, and giving them the tools to help themselves, such as access to awareness resources or antivirus software for personal devices.
If a particular threat is difficult to remove, bring in cybersecurity experts to look at your network traffic and logs and give a concise report on what’s happening.
If possible, engage with a dedicated security organisation or managed service provider (MSP) to keep expert eyes on the glass 24/7 and stop cyberattacks before they get off the ground. However, if onboarding a security partner during incident response, they should provide subject matter expertise and technical support, ensure that the threat actors are eradicated from the network, and catch residual issues that could result in follow-up compromise once the incident is closed.
V. Enhancing Cyber Resilience
Evaluate Ransomware Preparedness:
Assess endpoint controls such as anti-virus/anti-malware, endpoint protection, detection, and response solutions, along with device management tools.
Implement Application Resilience Policies
Enforce application resilience policies to ensure critical security applications and device management tools are installed and functioning as intended.
Continuous Security Posture Evaluation
Continuously detect and report the status of anti-malware, detection, and response software installed on endpoint assets to evaluate security posture.
Accelerate Recovery Process
Use customised workflows and automated commands for device recovery. Utilise custom scripts to identify infected machines, quarantine endpoints, disable networking, or support device re-imaging.
Sensitive Data Identification
Scan devices for sensitive data such as financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property.
VI. Conclusion and Recommendations
In conclusion, combating the evolving threat landscape of ransomware, exemplified by the rise of sophisticated strains like Akira, necessitates a multifaceted approach involving education, proactive defence, and resilient recovery strategies. Organisations must not only implement robust preventive measures but also continually adapt and enhance their security postures to stay ahead of cybercriminals.
Author:
Marcus Knowles, Jr. CIRT Analyst
Marcus Knowles is a Jr. Analyst at the National Computer Incident Response Team of The Bahamas (CIRT–BS). With an information technology background and a blossoming career in cybersecurity, Mr. Knowles holds a Bachelor’s degree in Accounting and Computer Information Systems from Savannah State University. His goal is to help educate the public about the dangers of ransomware and provide them with the knowledge they need to protect themselves against this growing threat. He aims to raise awareness about the impact of these attacks on businesses and society as a whole.
Resources:
Trend Micro. “Ransomware Spotlight: Akira.” Trend Micro, Trend Micro Inc., https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira.
Bleeping Computer. “Meet Akira: A New Ransomware Operation Targeting the Enterprise.” 7 May 2023.
Sophos. “Akira Ransomware is Bringing 88 Back.” 9 May 2023.
Recon InfoSec. “Emergence of Akira Ransomware Group.” 10 May 2023.
Cyble. “Unraveling Akira Ransomware.” 10 May 2023.
SonicWall Security News. “Akira Ransomware Double Extortion Scheme: Encrypts and Publicly Leaks Sensitive Data.” 19 May 2023.
K7 Computing Labs. “Akira Ransomware: Unleashing Chaos Using Conti Leaks.” 26 May 2023.
Cyble Blog. “Akira Ransomware Extends Reach to Linux Platform.” 28 June 2023.
Avast Threat Research. “Decrypted Akira Ransomware.” 29 June 2023.
Trend Micro Research. Twitter. 11 July 2023.
Cert-In. “Akira Ransomware Sector Alert.” 21 July 2023.
CloudSEK. “Akira Ransomware: What You Need to Know.” 24 July 2023.
Arctic Wolf Networks. “Conti and Akira Chained Together.” 26 July 2023.
BankInfoSecurity. “Akira Ransomware Apparently in Decline but Still a Threat.” 27 July 2023.
Bleeping Computer. “Akira Ransomware Targets Cisco VPNs to Breach Organizations.” 22 August 2023.
Stairwell. “Akira: Pulling on the Chains of Ransomware.” 23 August 2023.
SentinelOne Blog. “From Conti to Akira: Decoding the Latest Linux/ESXi Ransomware Families.” 23 August 2023.
Cisco Blogs. “Akira Ransomware: Targeting VPNs Without Multi-Factor Authentication.” 24 August 2023.
Rivitna2. Twitter. 28 August 2023.
TrueSec Blog. “A Victim of Akira Ransomware.” 28 August 2023.
Valery Marchive. Twitter. 11 September 2023.
U.S. Department of Health & Human Services. “Akira Ransomware Sector Alert TLPClear.” 12 September 2023.
Darktrace Blog. “Akira Ransomware: How Darktrace Foiled Another Novel Ransomware Attack.” 13 September 2023.
CyberCX Blog. “Akira Ransomware.” 15 September 2023.
BrightTalk Webcast. “Ransomware Trends and Solutions.” Retrieved from https://www.brighttalk.com/webcast/5586/584745.