Akira, LimeWire, and the Sour Taste of Data Exfiltration

Description

In a recent ransomware attack, threat actors accessed a victim's hypervisor and created a new virtual machine to stage and launch Akira ransomware. The forensic investigation revealed the attackers disabled Microsoft Defender immediately, installed WinRAR for data staging, and used Easyupload.io, a file transfer website owned by LimeWire, for data exfiltration. The threat actor also utilized WinSCP and enumerated Active Directory users and computers. The newly instantiated VM lacked security tooling, allowing the attacker to operate uninhibited. Analysis of the VHDX file provided clear evidence of the attack progression, showing the threat actor moved quickly through their operations without employing sophisticated anti-forensics techniques. The incident highlights the need for organizations to monitor environments for unusual access and new endpoint creation.