Howling Scorpius (Akira Ransomware)
Dec. 3, 2024, 4:54 p.m.
Tags
External References
Description
Howling Scorpius, the entity behind Akira ransomware-as-a-service, has become one of the top five most active ransomware groups since emerging in early 2023. They target small to medium-sized businesses across various sectors in North America, Europe, and Australia using a double extortion strategy. The group operates Windows and Linux/ESXi encryptors, and is actively enhancing its toolkit. Their tactics include exploiting vulnerable VPN services, using valid accounts from dark web brokers, targeting RDP, and conducting spear-phishing campaigns. They employ tools like Mimikatz and LaZagne for credential access, and use WinRAR, WinSCP, RClone, and FileZilla for data exfiltration. The group has also introduced new variants like Megazord and Akira v2, demonstrating ongoing development efforts.
Date
Published: Dec. 3, 2024, 4:35 p.m.
Created: Dec. 3, 2024, 4:35 p.m.
Modified: Dec. 3, 2024, 4:54 p.m.
Indicators
e702a572b514984deacaa54408059c6eac28e46111cb6f0f4190a3a6a72dd41d
cc970bd2673e46c7e0df5430ab617bc2a9214b4d5c2c44252af681a08ff526a8
9f873c29a38dd265decb6517a2a1f3b5d4f90ccd42eb61039086ea0b5e74827e
7ca3e6b4dd4d98506faa92ab590108cacb2945b8c27dcf1ac75b0df4a206493a
74f497088b49b745e6377b32ed5d9dfaef3c84c7c0bb50fabf30363ad2e0bfb1
6a5e547756ef1256f1eb9df0249245c35461affd009be8f046559bc007cafcf2
67f82a54ea49c6f286681d179cc7afc8b41b6b34284cc17bdd52916cc3656160
5f72bdb14e138f10c1658248fdaf10db2fd1e812240966e009bbcf8d463e099c
58e9cd249d947f829a6021cf6ab16c2ca8e83317dbe07a294e2035bb904d0cf3
56f1014eb2d145c957f9bc0843f4e506735d7821e16355bcfbb6150b1b5f39db
3dc7d4023c7380ed740ac5ac7d82a4ba6f587f430b2b7b66f1d34a44f89c39cb
3999a25f8f0fd8252aa9250fa9bd70aae202f181812cc6c230c8ea2842340f18
300bc2769c6d62ba9d228cc45e126cd458e1a23fd23092da258053afd82f2755
2db4a15475f382e34875b37d7b27c3935c7567622141bc203fde7fe602bc8643
2727c73f3069457e9ad2197b3cda25aec864a2ab8da3c2790264d06e13d45c3d
1ba1ccfacffbb6be9480380f5535a30d3eee1dd7787f3c649ebf8ea2a6a5de51
08207409e1d789aea68419b04354184490ce46339be071c6c185c75ab9d08cba
e3fa93dad8fb8c3a6d9b35d02ce97c22035b409e0efc9f04372f4c1d6280a481
dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198
c0c0b2306d31e8962973a22e50b18dfde852c6ddf99baf849e3384ed9f07a0d6
bcae978c17bcddc0bf6419ae978e3471197801c36f73cff2fc88cecbe3d88d1a
b55fbe9358dd4b5825ce459e84cd0823ecdf7b64550fe1af968306047b7de5c9
a6b0847cf31ccc3f76538333498f8fef79d444a9d4ecfca0592861cf731ae6cb
9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c
95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a
8e9a33809b9062c5033928f82e8adacbef6cd7b40e73da9fcf13ec2493b4544c
8816caf03438cd45d7559961bf36a26f26464bab7a6339ce655b7fbad68bb439
68d5944d0419bd123add4e628c985f9cbe5362ee19597773baea565bff1a6f1a
6005dcbe15d60293c556f05e98ed9a46d398a82e5ca4d00c91ebec68a209ea84
43c5a487329f5d6b4a6d02e2f8ef62744b850312c5cb87c0a414f3830767be72
3805f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30
2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83
28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e
0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c
9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065
7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be
3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75
131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07
c9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0
82e25f32e01f1898ccce2b6d5292245759733c22a104443a8a9c7db1ebf05c57
0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d
1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296
678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33
1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
Attack Patterns
Akira - S1129
Megazord
Howling Scorpius
T1003.003
T1558.003
T1021.002
T1021.001
T1490
T1018
T1070.004
T1562.001
T1489
T1486
T1016
T1082
T1057
T1053
T1566
T1190
T1078
T1003
CVE-2024-0012
CVE-2024-9474
CVE-2023-20269
CVE-2020-3259
Additional Informations
Pharmaceuticals
Consulting
Technology
Education
Telecommunications
Government
Manufacturing
Australia
Canada
United States of America