Akira ransomware continues to evolve

Oct. 22, 2024, 9:57 a.m.

Description

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned to previous encryption methods combined with data theft. They exploit various vulnerabilities for initial access and lateral movement, targeting sectors like manufacturing and professional services. The ransomware now uses ChaCha8 cipher for faster encryption. Akira is likely to continue prioritizing high-impact CVEs and attacks against VMware ESXi and Linux environments, adapting their techniques to maintain operational stability and effectiveness.

Linked vulnerabilities

Indicators

  • e3fa93dad8fb8c3a6d9b35d02ce97c22035b409e0efc9f04372f4c1d6280a481
  • ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5
  • dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198
  • c0c0b2306d31e8962973a22e50b18dfde852c6ddf99baf849e3384ed9f07a0d6
  • bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a
  • b55fbe9358dd4b5825ce459e84cd0823ecdf7b64550fe1af968306047b7de5c9
  • abba655df92e99a15ddcde1d196ff4393a13dbff293e45f5375a2f61c84a2c7b
  • a6b0847cf31ccc3f76538333498f8fef79d444a9d4ecfca0592861cf731ae6cb
  • a546ef13e8a71a8b5f0803075382eb0311d0d8dbae3f08bac0b2f4250af8add0
  • 9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c
  • 95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a
  • 8e9a33809b9062c5033928f82e8adacbef6cd7b40e73da9fcf13ec2493b4544c
  • 88da2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2
  • 8816caf03438cd45d7559961bf36a26f26464bab7a6339ce655b7fbad68bb439
  • 78d75669390e4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0
  • 68d5944d0419bd123add4e628c985f9cbe5362ee19597773baea565bff1a6f1a
  • 6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84
  • 566ef5484da0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739
  • 43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72
  • 3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30
  • 2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83
  • 2c7aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77
  • 28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e
  • 0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c
  • 988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42
  • 87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d
  • 9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065
  • 7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be
  • 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75
  • 131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07
  • c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0
  • 0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d
  • 678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33
  • 6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360
  • 1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
  • 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
  • 5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5

Attack Patterns

  • Megazord
  • Akira
  • Akira
  • T1021.001
  • T1490
  • T1059.001
  • T1070.004
  • T1562.001
  • T1486
  • T1082
  • T1083
  • T1210
  • T1027
  • T1112
  • T1566
  • T1190
  • T1133
  • T1078
  • T1003
  • CVE-2024-40711
  • CVE-2024-40766
  • CVE-2024-37085
  • CVE-2023-27532
  • CVE-2023-48788
  • CVE-2023-20269
  • CVE-2023-20263
  • CVE-2020-3259

Additional Informations

  • Professional Services
  • Manufacturing