Akira Ransomware Escalates Threat with Expanding Cyber Attacks

The emergence of the Akira ransomware group as a significant cybersecurity threat has been closely documented by Sophos MDR Threat Intelligence, specifically through the insights of analyst Morgan Demboski. Demboski's detailed analysis of Akira's sophisticated attack chain is based on Sophos's active responses to incidents involving this ransomware group. This analysis provides vital information about the group's tactics, techniques, and procedures (TTPs) to aid security detection and defense. Active since early 2023, Akira primarily targets small to medium-sized businesses across various sectors, including government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication in Europe, North America, and Australia. Akira has shown a high level of proficiency in conducting complex cyber attacks with evolving tactics. In one instance analyzed by Sophos, Akira operators were observed deploying the Megazord ransomware variant. A timeline provided by Sophos highlights a significant escalation in Akira's activities from April to November 2023.

The attack chain of Akira ransomware begins with initial access, often through unauthorized VPN logons lacking multi-factor authentication. This is especially prevalent with certain Cisco VPN products. Akira actors have also exploited known vulnerabilities like CVE-2023-20269 to gain initial access. Upon entry, they focus on credential access, using methods like dumping LSASS process memory and accessing Active Directory databases to obtain user credentials. These actions are integral for the actors to advance their control within the network.

Akira actors predominantly use Remote Desktop Protocol (RDP) along with SMB for lateral movement, leveraging valid local administrator accounts. Illustrating Akira's excessive use of RDP for lateral movement, Sophos reported: "the threat actors used RDP over 100 times between initial access and ransomware deployment to gain access to a total of 15 machines." Their persistence tactics include creating new user accounts and adding them to security-enabled local groups. Regarding defense evasion, Akira actors attempt to disable or uninstall security protections, including Sophos endpoint protections. Command and control are often established using dual-use agents like AnyDesk, with Akira actors using various tools for data exfiltration, including WinRAR, WinSCP, rclone, and MEGA.

The impact of Akira ransomware is significant, with the encryption of files across target networks and the deployment of ransomware binaries, with observed file names of w.exe, Lck.exe, 1.exe, and locker.exe. The actors' methods have evolved to prioritize data exfiltration, likely to extort organizations with the threat of leaked data. This growing shift towards exfiltration without encryption has often been rationalized as a tactic to reduce detection risks and improve speed. Sophos' analysis of Akira ransomware provides crucial insights for cybersecurity professionals. The continuous monitoring and analysis of Akira's tactics and techniques are essential for developing effective defenses against such ransomware attacks.