Howling Scorpius (Akira Ransomware)

Dec. 3, 2024, 4:54 p.m.

Description

Howling Scorpius, the entity behind Akira ransomware-as-a-service, has become one of the top five most active ransomware groups since emerging in early 2023. They target small to medium-sized businesses across various sectors in North America, Europe, and Australia using a double extortion strategy. The group operates Windows and Linux/ESXi encryptors, and is actively enhancing its toolkit. Their tactics include exploiting vulnerable VPN services, using valid accounts from dark web brokers, targeting RDP, and conducting spear-phishing campaigns. They employ tools like Mimikatz and LaZagne for credential access, and use WinRAR, WinSCP, RClone, and FileZilla for data exfiltration. The group has also introduced new variants like Megazord and Akira v2, demonstrating ongoing development efforts.

External References

https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware
https://otx.alienvault.com/pulse/674f33517d92691127e4b3bd
Tags
ransomware
akira
raas
double extortion
megazord
2024-12-03
howling scorpius

Date

  • Created: Dec. 3, 2024, 4:35 p.m.
  • Published: Dec. 3, 2024, 4:35 p.m.
  • Modified: Dec. 3, 2024, 4:54 p.m.

Linked vulnerabilities

CVE-2024-0012

9.8
    Paloaltonetworks
  • Pan-Os
Published: November 18, 2024

CVE-2024-9474

7.2
    Paloaltonetworks
  • Pan-Os
Published: November 18, 2024

Indicators

  • e702a572b514984deacaa54408059c6eac28e46111cb6f0f4190a3a6a72dd41d
  • cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8
  • 9f873c29a38dd265decb6517a2a1f3b5d4f90ccd42eb61039086ea0b5e74827e
  • 7ca3e6b4dd4d98506faa92ab590108cacb2945b8c27dcf1ac75b0df4a206493a
  • 74f497088b49b745e6377b32ed5d9dfaef3c84c7c0bb50fabf30363ad2e0bfb1
  • 6a5e547756ef1256f1eb9df0249245c35461affd009be8f046559bc007cafcf2
  • 67f82a54ea49c6f286681d179cc7afc8b41b6b34284cc17bdd52916cc3656160
  • 5f72bdb14e138f10c1658248fdaf10db2fd1e812240966e009bbcf8d463e099c
  • 58e9cd249d947f829a6021cf6ab16c2ca8e83317dbe07a294e2035bb904d0cf3
  • 56f1014eb2d145c957f9bc0843f4e506735d7821e16355bcfbb6150b1b5f39db
  • 3dc7d4023c7380ed740ac5ac7d82a4ba6f587f430b2b7b66f1d34a44f89c39cb
  • 3999a25f8f0fd8252aa9250fa9bd70aae202f181812cc6c230c8ea2842340f18
  • 300bc2769c6d62ba9d228cc45e126cd458e1a23fd23092da258053afd82f2755
  • 2db4a15475f382e34875b37d7b27c3935c7567622141bc203fde7fe602bc8643
  • 2727c73f3069457e9ad2197b3cda25aec864a2ab8da3c2790264d06e13d45c3d
  • 1ba1ccfacffbb6be9480380f5535a30d3eee1dd7787f3c649ebf8ea2a6a5de51
  • 08207409e1d789aea68419b04354184490ce46339be071c6c185c75ab9d08cba
  • e3fa93dad8fb8c3a6d9b35d02ce97c22035b409e0efc9f04372f4c1d6280a481
  • dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198
  • c0c0b2306d31e8962973a22e50b18dfde852c6ddf99baf849e3384ed9f07a0d6
  • bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a
  • b55fbe9358dd4b5825ce459e84cd0823ecdf7b64550fe1af968306047b7de5c9
  • a6b0847cf31ccc3f76538333498f8fef79d444a9d4ecfca0592861cf731ae6cb
  • 9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c
  • 95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a
  • 8e9a33809b9062c5033928f82e8adacbef6cd7b40e73da9fcf13ec2493b4544c
  • 8816caf03438cd45d7559961bf36a26f26464bab7a6339ce655b7fbad68bb439
  • 68d5944d0419bd123add4e628c985f9cbe5362ee19597773baea565bff1a6f1a
  • 6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84
  • 43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72
  • 3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30
  • 2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83
  • 28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e
  • 0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c
  • 9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065
  • 7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be
  • 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75
  • 131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07
  • c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0
  • 82e25f32e01f1898ccce2b6d5292245759733c22a104443a8a9c7db1ebf05c57
  • 0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d
  • 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296
  • 678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33
  • 1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
Download all indicators here!

Attack Patterns

  • Akira - S1129
  • Megazord
  • Howling Scorpius
  • T1003.003
  • T1558.003
  • T1021.002
  • T1021.001
  • T1490
  • T1018
  • T1070.004
  • T1562.001
  • T1489
  • T1486
  • T1016
  • T1082
  • T1057
  • T1053
  • T1566
  • T1190
  • T1078
  • T1003
  • CVE-2024-0012
  • CVE-2024-9474
  • CVE-2023-20269
  • CVE-2020-3259

Additional Informations

  • Pharmaceuticals
  • Consulting
  • Technology
  • Education
  • Telecommunications
  • Government
  • Manufacturing
  • Australia
  • Canada
  • United States of America