Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Threat Brief: Understanding Akira Ransomware

Oct. 4, 2024, 12:30 p.m.

Description

Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and operator overlaps. The ransomware uses various techniques for initial access, including compromised credentials and vulnerability exploitation. It performs reconnaissance, lateral movement, and employs tools for credential dumping and defense evasion. Akira exfiltrates data before encryption and destroys system backups. The ransomware uses the ChaCha algorithm for file encryption and creates a log file of its execution. It accepts command-line arguments to define its behavior and uses Windows restart manager APIs to terminate processes.

Date

Published: Oct. 4, 2024, 10:04 a.m.

Created: Oct. 4, 2024, 10:04 a.m.

Modified: Oct. 4, 2024, 12:30 p.m.

Indicators

b5e757f5e240af04057131ab6868a7716c46fa5abf697f2927199d1b84706c23

988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42

87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d

Attack Patterns

Akira

Akira

T1564.006

T1491.001

T1564.002

T1021.001

T1018

T1486

T1082

T1083

T1020

T1219

T1560

T1190

T1133

T1078

T1003

CVE-2019-6693

CVE-2022-40684

CVE-2023-20269

CVE-2021-21972

Additional Informations

Technology

Healthcare

Finance

Government

Manufacturing

Australia

United Kingdom of Great Britain and Northern Ireland

United States of America