Akira Ransomware: A Shifting Force in the RaaS Domain
Summary:
Since its inception in March 2023, the Akira has grown to be one of the most prolific ransomware groups out here. Akira operates under a Ransomware-as-a-service model wherein affiliates or other cybercriminals are hired to gain initial access to victim environments and deploy the group’s ransomware strain, in exchange for a portion of the ransom paid by victims. This model has worked in Akira’s favor, with the group compromising more than 300 victims in just 2024 alone. Akira's victims include a variety of organizations, such as those in manufacturing, engineering, agriculture, financial services, and higher education. The majority of its targets are based in Western countries, with the United States being the largest victim demographic, followed by Canada, the United Kingdom, and Germany.
Akira ransomware gains initial access by exploiting vulnerabilities in firewall and VPN products, cloud services, and other external applications. Notable flaws such as CVE-2024-37085 (affecting ESXi servers) and CVE-2024-40711 (impacting Veeam’s backup service) were used in its recent campaigns. The group has also targeted SonicWall products (CVE-2024-40766) and leveraged compromised credentials, sometimes through Initial Access Brokers. During discovery, Akira performs reconnaissance with tools like IP scanners and Adfind to gather Active Directory data and other system details. For persistence, Akira modifies system settings and creates accounts to maintain access, often through weaknesses in Domain Controllers. The group also uses various tools such as mimikatz to acquire extract credentials which can be used to move laterally through networks.
Security Officer Comments:
Operators of Akira are continuously updating their ransomware strain, with the group’s encryptor going through several iterations since 2023. Initially, in 2023, Akira focused on Windows systems with a C++-based ransomware that appended the .akira extension to encrypted files. Later that year, the group shifted to Linux systems and VMware ESXi servers with a Rust-based payload known as Akira v2, which appended the .akiranew extension and targeted a broader range of file types. By 2024, Akira's ransomware returned to its C++ roots, reintroducing the .akira extension, while also incorporating the ChaCha8 algorithm for secure and fast encryption speeds. Overall, the various iterations of Akira’s encryptor have enabled the group to target a diverse range of systems, extending beyond just Windows. Each new variant has demonstrated increasing efficiency in file encryption and enhanced capabilities to evade detection and defenses.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.bitdefender.com/en-us/b...ansomware-a-shifting-force-in-the-raas-domain
Since its inception in March 2023, the Akira has grown to be one of the most prolific ransomware groups out here. Akira operates under a Ransomware-as-a-service model wherein affiliates or other cybercriminals are hired to gain initial access to victim environments and deploy the group’s ransomware strain, in exchange for a portion of the ransom paid by victims. This model has worked in Akira’s favor, with the group compromising more than 300 victims in just 2024 alone. Akira's victims include a variety of organizations, such as those in manufacturing, engineering, agriculture, financial services, and higher education. The majority of its targets are based in Western countries, with the United States being the largest victim demographic, followed by Canada, the United Kingdom, and Germany.
Akira ransomware gains initial access by exploiting vulnerabilities in firewall and VPN products, cloud services, and other external applications. Notable flaws such as CVE-2024-37085 (affecting ESXi servers) and CVE-2024-40711 (impacting Veeam’s backup service) were used in its recent campaigns. The group has also targeted SonicWall products (CVE-2024-40766) and leveraged compromised credentials, sometimes through Initial Access Brokers. During discovery, Akira performs reconnaissance with tools like IP scanners and Adfind to gather Active Directory data and other system details. For persistence, Akira modifies system settings and creates accounts to maintain access, often through weaknesses in Domain Controllers. The group also uses various tools such as mimikatz to acquire extract credentials which can be used to move laterally through networks.
Security Officer Comments:
Operators of Akira are continuously updating their ransomware strain, with the group’s encryptor going through several iterations since 2023. Initially, in 2023, Akira focused on Windows systems with a C++-based ransomware that appended the .akira extension to encrypted files. Later that year, the group shifted to Linux systems and VMware ESXi servers with a Rust-based payload known as Akira v2, which appended the .akiranew extension and targeted a broader range of file types. By 2024, Akira's ransomware returned to its C++ roots, reintroducing the .akira extension, while also incorporating the ChaCha8 algorithm for secure and fast encryption speeds. Overall, the various iterations of Akira’s encryptor have enabled the group to target a diverse range of systems, extending beyond just Windows. Each new variant has demonstrated increasing efficiency in file encryption and enhanced capabilities to evade detection and defenses.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://www.bitdefender.com/en-us/b...ansomware-a-shifting-force-in-the-raas-domain