Authorities Issue Warning with #StopRansomware Featuring Akira Ransomware

The Akira ransomware gang recognized as a prominent cyber threat by international cybersecurity authorities, including the FBI, CISA, Europol's EC3, and the Netherlands' NCSC-NL, has been actively compromising organizations across North America, Europe, and Australia. Since its emergence in March 2023, Akira is tracked to have executed over 250 attacks against organizations, leading to financial gains 'claimed' at around $42 million from ransom payments. The group's rapid escalation and broad targeting underscore its capabilities and the severe threat it poses to a wide range of sectors particularly industries associated with critical infrastructure.

Akira employs a comprehensive array of tactics, techniques, and procedures (TTPs), exploiting vulnerabilities in widely used technologies such as VMware ESXi virtual machines and Windows systems. The group often gains initial access through phishing, exploiting VPN services lacking multifactor authentication, and capitalizing on known vulnerabilities like Cisco's CVE-2020-3259 and CVE-2023-20269. During the post-compromise stages, Akira establishes persistence by creating new accounts such as 'itadm,' which is specifically associated with the group. Several strategies are then employed to harvest credentials, including dumping credentials from the Local Security Authority Subsystem Service (LSASS) and using well-known tools like Mimikatz and LaZagne. They also conduct system enumerations using native Windows commands and tools such as AdFind, Advanced IP Scanner, PcHunter64, and SoftPerfect Network Scanner.

To further circumvent defenses, Akira uses PowerTool and techniques involving Bring Your Own Vulnerable Driver (BYOVD) to disable security monitoring solutions. The ransomware operators use data exfiltration tools such as FileZilla, WinRAR, WinSCP, and RClone, and establish command and control channels with commonly used tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel. These facilitate the transfer of stolen data via protocols like FTP, SFTP, and cloud storage services such as Mega, linking to their exfiltration servers. Akira's operations are completed with the deployment of the Rust-based encryptor, Megazord with encrypted files having a .powerranges extension.

Beyond financial losses, Akira's activities pose severe risks of data breaches and operational disruptions. Following the takedown of LockBit, there was a noted increase in operators within the Akira ransomware gang. According to RedSense co-founder Yelisey Bohuslavskiy, this influx is not merely a rebranding but indicates a sharing of methodologies among cyber criminals. Bohuslavskiy also points to Akira's connection with the post-Conti leadership and developers from the Ryuk ransomware, suggesting a convergence of expertise and malicious techniques.