'Ransomware in focus' is our new series unravelling the complexities of ransomware groups throughout the ecosystem. By detailing their business strategies, target victims, and the tactics, techniques, and procedures (TTPs) behind their operations, we hope to arm businesses with essential knowledge required to confront and overcome the challenges posed by ransomware.
In this instalment, James Tytler examines the operations of Akira.
Background
First observed in March 2023, Akira is a sophisticated and financially motivated Ransomware-as-a-Service (RaaS) group known for primarily targeting small to medium sized enterprises. Akira seeks to exfiltrate sensitive information from a target and encrypt their data with ransomware. They attempt to monetise attacks through holding encrypted and stolen data to ransom. The group is opportunistic and targets across all sectors.
Business model
Under the RaaS model, Akira’s developers provide access to their ransomware binary and dark web leak site infrastructure to affiliates in exchange for a share of any ransom payments. Affiliates are responsible for conducting individual attacks and have different playbooks and skill levels. However, Akira maintains control over the ransom demands and the discounts which affiliates can offer.
Location
Akira’s developers are likely based in Russia or other former members of the soviet union. Unlike other ransomware groups based in Russian speaking countries, the Akira ransomware binary does not appear to contain a function which terminates the ransomware if the malware detects the presence of a Russian keyboard layout. Nevertheless, S-RM has observed Akira communicating in Russian on darkweb cybercrime forums, and the profile of their victims, primarily organisations based in the United States, the United Kingdom and Canada, aligns with other Russian speaking groups.
Group affiliations
Akira is not confirmed to be a rebrand of any specific group. However, some overlap in activity has been observed with the now defunct ransomware group, Conti. Cryptocurrency transaction analysis shows that entire ransom payments have been sent to Bitcoin wallet addresses associated with affiliates of the former Conti group, and even to wallets reportedly associated with a member of the Conti leadership team. Conti disbanded in May 2022.
Additionally, S-RM has also observed overlaps in techniques tactics and procedures in Akira and Fog cases, which likely indicates a crossover in affiliates between the ransomware groups.
Victimology
Since their emergence in March 2023, Akira has publicly claimed 342 victims on their dark web leak site. They primarily target small-medium sized enterprises based in the United States and Western Europe but have recently been observed targeting victims in Latin America.
86%
Most of Akira’s victims to date have been small-medium sized businesses with fewer than 1,000 employees.
Companies targeted in the last 30 days
Figure 1. Source: ecrime.ch
Notable Attacks
- In March 2024, Nissan Oceania reported that data of 100,000 people had been impacted by an Akira ransomware attack in December 2023.
- In January 2024, the Finnish IT services and cloud hosting provider Tietoevry was hit by Akira, resulting in outages for customers hosted in their cloud environment.
- In June 2024, it was reported that the Singapore-based law firm Shook Lin & Bok paid a ransom of USD 1.4 million in Bitcoin to Akira after suffering a cyber attack.
Companies targeted in the last 90 days, by sector
Figure 2. Source: ecrime.ch
*Data based on victims posted to the actor’s leak site, and thus unlikely to be comprehensive of all victims.
Tactics, Techniques and Procedures (TTPs)
Initial access
Akira is known for infiltrating target organisations via their VPNs, either by exploiting compromised credentials or vulnerabilities within the VPN software. In September 2024, it was reported that Akira may be conducting a campaign exploiting a vulnerability in SonicWall SSL VPN appliances (CVE-2024-40766) to gain initial access, although to date this has not been conclusively proven. Akira has also leveraged Remote Desktop Protocols (RDP) and valid credentials purchased on the dark web to gain access to victims’ networks.
Propagation
There is considerable variation in tooling and methodologies among different Akira affiliates. Akira often uses the remote desktop applications AnyDesk and ScreenConnect to maintain persistent access to victims’ networks, and commercial tools such as Advanced IP Scanner and SoftPerfect network scanner to obtain information about victims' networks. We have also observed Akira affiliates exploiting software vulnerabilities in VMware vCenter (CVE-2021-21972) for privilege escalation and creating virtual machines to evade security tooling.
Encryption
Akira has advanced encryption software which targets both Windows and Linux systems, including VMware ESXi hypervisors. We have also observed Akira deleting data instead of encrypting it on occasion, which may be an effort to ensure the victim cannot recover the data through methods such as data carving from slack space. A decryption tool for an older version of Akira ransomware was developed by security researchers and was publicly released in July 2023. S-RM had some success running this tool and decrypting impacted assets in past cases, against small files. However, in August 2023, Akira began deploying a new version of their ransomware called Megazord. To date, there is no known publicly available decryptor for the Megazord variant.
Exfiltration
Akira often compresses data prior to exfiltration using WinRAR. They have been observed using the command line tool Rclone to synchronise data with the cloud data storage platform Mega. Akira threatens to publish exfiltrated data on their leak site in absence of payment and has leaked data for 79 out of the 342 victims named on their leak site to date. As such, they have a somewhat inconsistent track record for leaking data. A distinguishing factor of the group is the unique design of their leak site. It is designed and developed to look like a command line tool which takes user input for further action.
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
