Threat Brief: Understanding Akira Ransomware

Oct. 4, 2024, 12:30 p.m.

Description

Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and operator overlaps. The ransomware uses various techniques for initial access, including compromised credentials and vulnerability exploitation. It performs reconnaissance, lateral movement, and employs tools for credential dumping and defense evasion. Akira exfiltrates data before encryption and destroys system backups. The ransomware uses the ChaCha algorithm for file encryption and creates a log file of its execution. It accepts command-line arguments to define its behavior and uses Windows restart manager APIs to terminate processes.

Date

  • Created: Oct. 4, 2024, 10:04 a.m.
  • Published: Oct. 4, 2024, 10:04 a.m.
  • Modified: Oct. 4, 2024, 12:30 p.m.

Indicators

  • b5e757f5e240af04057131ab6868a7716c46fa5abf697f2927199d1b84706c23
  • 988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42
  • 87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d

Attack Patterns

Additional Informations

  • Technology
  • Healthcare
  • Finance
  • Government
  • Manufacturing
  • Australia
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America

Linked vulnerabilities