Akira Ransomware Blog

Unraveling Akira Ransomware

Emerging Ransomware Strain Quickly Expanding its List of Victims

Ransomware is a grave cybersecurity threat and is currently one of the most effective cybercrimes causing organizational problems. It has proven to be highly profitable for cybercriminals, resulting in severe consequences such as financial loss, data loss, and damage to the reputation of the targeted entities.

Over time, Cyble Research and Intelligence Labs (CRIL) has continuously examined and shared information regarding the most dominant and active ransomware groups while offering recommendations to prevent such incidents from occurring again.

Recently, CRIL came across a Reddit post about a new ransomware variant named “Akira”, actively targeting numerous organizations and exposing their sensitive data. To increase the chances of payment from victims, Akira ransomware exfiltrates and encrypts their data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data.

Akira ransomware emerged in April 2023 and has already impacted over 15 publicly disclosed victims, with the majority located in the United States. These victims represent a variety of industries, such as BFSI, Construction, Education, Healthcare, Manufacturing, and others.

Figure 1 – Akira Ransomware’s Victim Distribution

Multiple options on the Akira ransomware leak site’s homepage allow users to access the most recent news, leaked data, and other functions, as shown in the image below.

Figure 2 – Akira ransomware Leaksite

Technical Analysis

We have taken the below sample hash for this analysis:

(SHA256), 3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c,

which is a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, as shown below.

Figure 3 – File details

When the ransomware is executed, it uses the API function GetLogicalDriveStrings() to obtain a list of the logical drives currently available in the system, as shown in the figure below.

Figure 4 – GetLogicalDriveStringsW() API

Then, the malware drops a ransom note in multiple folders with the file name “akira_readme.txt”. The contents of the ransom note are illustrated in the below figure.

Figure 5 – Malware Writing Ransom Notes

After dropping the ransom note, the ransomware searches for files and directories to encrypt by iterating through them using the API functions FindFirstFileW() and FindNextFileW().

The ransomware excludes the below file extensions and file/folder names from encryption.

File extensionFile namesFolder names
.exe
.dll
.sys
.msi
.lnk
.akira
akira_readme.txt
Bootmgr
BOOTNXT
DumpStack.log.tmp
pagefile.sys swapfile.sys ntuser.dat
tmp
winnt
temp
thumb
$Recycle.Bin
$RECYCLE.BIN
System Volume
Information Boot
Windows Trend Micro
ProgramData

Encryption

The ransomware utilizes the “Microsoft Enhanced RSA and AES Cryptographic Provider” libraries to encrypt the victim’s machine. The malware employs several functions from CryptoAPI, including CryptAcquireContextW(), CryptImportPublicKeyInfo(), CryptGenRandom(), and CryptEncrypt().

Figure 6 – Encryption

As mentioned earlier, Akira ransomware uses the RSA and AES encryption algorithms, and it comes with a fixed hardcoded base64 encoded public key, as shown below.

Figure 7 – RSA Public key

The malware renames the encrypted files with the “.akira” extension in the next step.

The figure below shows the files encrypted by Akira ransomware after the successful infection of a victim’s machine.

Figure 8 – Files encrypted by Akira Ransomware

Additionally, the ransomware utilizes a PowerShell command, shown in Figure 9, to execute a WMI query that deletes the shadow copy, preventing system restoration.

Figure 9 – PowerShell command to Delete Shadow copies

The dropped ransom note provides instructions to the victims on how they can get in touch with the Akira Ransomware Gang to initiate negotiations for the ransom.

The operators responsible for the Akira ransomware often threaten their victims, claiming to have exfiltrated a large amount of corporate data before encrypting it. They also warn of their intention to sell personal information, trade secrets, databases, and source codes on the dark web market.

Additionally, they threaten to expose the stolen information publicly through their blog (accessible via an Onion site) if the ransom demand is not met.

Figure 10 – Ransom note

Figure 11 depicts an Onion site belonging to Akira ransomware, which requires a code (mentioned in the ransom note) to initiate communication or request assistance from the Threat Actor.

Figure 11 – Chat window

The Akira ransomware homepage features a ‘news’ command that reveals a comprehensive list of 16 victim organizations targeted by the group as of May 5th. The stolen information is summarized for each organization and can be viewed on the same page.

The corresponding figure is provided below.

Figure 12 – “news” command on the Akira ransomware leak site displays a list of victims

On the Akira ransomware homepage, a command called ‘leaks’ provides a list of organizations targeted by the group that did not pay the demanded ransom (5 victims as of now).

The leaked data associated with each organization is available for download and includes the organization’s name and a brief description.

Figure 13 –  Akira ransomware leak sites’ “leaks” command exhibits the data leaked by victims

Conclusion

Akira ransomware is a newly discovered strain that has mainly affected victims in the United States and Canada. This ransomware group actively targets businesses and demands a significant amount of money in exchange for decryption keys.

As organizations implement security measures to defend against ransomware attacks, there is a corresponding rise in the number of new ransomware groups emerging. These groups continuously adapt their strategies and expand their operations to maximize profits.

Cyble Research & Intelligence Labs (CRIL) continuously monitors new ransomware campaigns to keep our readers updated with our latest findings.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impact of Akira Ransomware

  • Loss of valuable data.
  • Loss of the organization’s reputation and integrity.
  • Loss of the organization’s sensitive business information.
  • Disruption in organization operation.
  • Financial loss.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Execution T1204 
T1047
T1059
User Execution
Windows Management Instrumentation
PowerShell
Defense EvasionT1497
T1027
Virtualization/Sandbox Evasion
Obfuscated Files or Information
Discovery   T1057
T1012
T1082
T1083
Process Discovery
Query Registry
System Information Discovery
File and Directory Discovery
Impact  T1486 
T1490 
Data Encrypted for Impact 
Inhibit System Recovery

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
c7ae7f5becb7cf94aa107ddc1caf4b03
923161f345ed3566707f9f878cc311bc6a0c5268
3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
MD5
SHA1
SHA256
Akira Ransomware
Exe

Comments are closed.

Scroll to Top