Threat Brief: Understanding Akira Ransomware
Oct. 4, 2024, 12:30 p.m.
Tags
External References
Description
Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and operator overlaps. The ransomware uses various techniques for initial access, including compromised credentials and vulnerability exploitation. It performs reconnaissance, lateral movement, and employs tools for credential dumping and defense evasion. Akira exfiltrates data before encryption and destroys system backups. The ransomware uses the ChaCha algorithm for file encryption and creates a log file of its execution. It accepts command-line arguments to define its behavior and uses Windows restart manager APIs to terminate processes.
Date
Published: Oct. 4, 2024, 10:04 a.m.
Created: Oct. 4, 2024, 10:04 a.m.
Modified: Oct. 4, 2024, 12:30 p.m.
Indicators
b5e757f5e240af04057131ab6868a7716c46fa5abf697f2927199d1b84706c23
988776358d0e45a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42
87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d
Attack Patterns
Akira
Akira
T1564.006
T1491.001
T1564.002
T1021.001
T1018
T1486
T1082
T1083
T1020
T1219
T1560
T1190
T1133
T1078
T1003
CVE-2019-6693
CVE-2022-40684
CVE-2023-20269
CVE-2021-21972
Additional Informations
Technology
Healthcare
Finance
Government
Manufacturing
Australia
United Kingdom of Great Britain and Northern Ireland
United States of America