Akira ransomware continues to evolve

Oct. 22, 2024, 9:57 a.m.

Description

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned to previous encryption methods combined with data theft. They exploit various vulnerabilities for initial access and lateral movement, targeting sectors like manufacturing and professional services. The ransomware now uses ChaCha8 cipher for faster encryption. Akira is likely to continue prioritizing high-impact CVEs and attacks against VMware ESXi and Linux environments, adapting their techniques to maintain operational stability and effectiveness.

External References

https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/
https://otx.alienvault.com/pulse/671773ca6756ce1c876f2a07
Tags
linux
ransomware
windows
rust
CVE-2024-37085
vulnerability exploitation
akira
CVE-2023-27532
esxi
CVE-2024-40766
CVE-2023-48788
double-extortion
CVE-2024-40711
CVE-2023-20269
2024-10-22
CVE-2020-3259
CVE-2023-20263
chacha8
megazord

Date

  • Created: Oct. 22, 2024, 9:43 a.m.
  • Published: Oct. 22, 2024, 9:43 a.m.
  • Modified: Oct. 22, 2024, 9:57 a.m.

Linked vulnerabilities

CVE-2024-37085

6.8
    VMware ESXi
Published: June 25, 2024

CVE-2024-40711

9.8
    UNKNOWN
Published: September 7, 2024

CVE-2024-40766

9.8
    Sonicwall
  • Sonicos
  • Soho
  • Nssp 12400
  • Nssp 12800
  • Sm9800
  • Nsa 2650
  • Nsa 3600
  • Nsa 3650
  • Nsa 4600
  • Nsa 4650
  • Nsa 5600
  • Nsa 5650
  • Nsa 6600
  • Nsa 6650
  • Sm 9200
  • Sm 9250
  • Sm 9400
  • Sm 9450
  • Sm 9600
  • Sm 9650
  • Soho 250
  • Soho 250w
  • Sohow
  • Tz 300
  • Tz 300p
  • Tz 300w
  • Tz 350
  • Tz 350w
  • Tz 400
  • Tz 400w
  • Tz 500
  • Tz 500w
  • Tz 600
  • Tz 600p
  • Nsa 2700
  • Nsa 3700
  • Nsa 4700
  • Nsa 5700
  • Nsa 6700
  • Nssp 10700
  • Nssp 11700
  • Nssp 13700
  • Tz270
  • Tz270w
  • Tz370
  • Tz370w
  • Tz470
  • Tz470w
  • Tz570
  • Tz570p
  • Tz570w
  • Tz670
Published: August 23, 2024

Indicators

  • e3fa93dad8fb8c3a6d9b35d02ce97c22035b409e0efc9f04372f4c1d6280a481
  • ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5
  • dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198
  • c0c0b2306d31e8962973a22e50b18dfde852c6ddf99baf849e3384ed9f07a0d6
  • bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a
  • b55fbe9358dd4b5825ce459e84cd0823ecdf7b64550fe1af968306047b7de5c9
  • abba655df92e99a15ddcde1d196ff4393a13dbff293e45f5375a2f61c84a2c7b
  • a6b0847cf31ccc3f76538333498f8fef79d444a9d4ecfca0592861cf731ae6cb
  • a546ef13e8a71a8b5f0803075382eb0311d0d8dbae3f08bac0b2f4250af8add0
  • 9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c
  • 95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a
  • 8e9a33809b9062c5033928f82e8adacbef6cd7b40e73da9fcf13ec2493b4544c
  • 88da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2
  • 8816caf03438cd45d7559961bf36a26f26464bab7a6339ce655b7fbad68bb439
  • 78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0
  • 68d5944d0419bd123add4e628c985f9cbe5362ee19597773baea565bff1a6f1a
  • 6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84
  • 566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739
  • 43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72
  • 3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30
  • 2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83
  • 2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77
  • 28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e
  • 0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c
  • 988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42
  • 87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d
  • 9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065
  • 7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be
  • 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75
  • 131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07
  • c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0
  • 0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d
  • 678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33
  • 6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360
  • 1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
  • 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
  • 5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5
Download all indicators here!

Attack Patterns

  • Megazord
  • Akira
  • Akira
  • T1021.001
  • T1490
  • T1059.001
  • T1070.004
  • T1562.001
  • T1486
  • T1082
  • T1083
  • T1210
  • T1027
  • T1112
  • T1566
  • T1190
  • T1133
  • T1078
  • T1003
  • CVE-2024-40711
  • CVE-2024-40766
  • CVE-2024-37085
  • CVE-2023-27532
  • CVE-2023-48788
  • CVE-2023-20269
  • CVE-2023-20263
  • CVE-2020-3259

Additional Informations

  • Professional Services
  • Manufacturing