Akira Ransomware Expands Target to Linux and VMware ESXi
Technical Description
Akira ransomware emerged in March 2023 and initially targeted companies in the US and Canada. It has since expanded, conducting over 300 attacks in 2024 alone and amassing an estimated $42 million in ransom payments. Its Tor leak site has a unique retro look that according to a report from Sophos, is reminiscent of “1980s green-screen consoles” that can be navigated by typing specific commands. Based on its code, it is completely different from the Akira ransomware family that was active in 2017, even though they both append encrypted files with the same “.akira” extension.
Akira shared code similarities with Conti ransomware. However, they also noted that when Conti’s source code was leaked, different malicious actors used it to create or tweak their own ransomware code, which makes it even more challenging to trace back ransomware families to Conti operators. The group employs double extortion tactics, offering victims the choice to pay for either file decryption or data deletion. This group continues to evolve and refine its tactics, utilizing advanced and sophisticated techniques to target organizations across various industries worldwide.
Target Spectrum and Global Impact
Akira’s operations span multiple sectors, including manufacturing, engineering, financial services, agriculture and education with a primary focus on Western countries like the US, Canada, the UK and Germany. The group’s adaptability highlights its technical sophistication and structured approach. Notably, Akira’s ransomware includes a safeguard preventing execution on Russian-language systems, suggesting a possible Russian origin. This theory is reinforced by reports of its members being active on Russian cybercriminal forums since 2022, indicating both strategic targeting and efforts to evade local authorities.
Evolving Payloads for Enhanced Impact
Akira has shown an impressive ability to adapt its ransomware payloads across various operating systems, maintaining its status as a persistent threat. Initially, the group targeted Windows systems using C++-based encryptions that appended the “.akira” extension to encrypted files. By mid-2023, Akira expanded its capabilities, introducing new payloads to broaden its reach.
- Linux and VMware ESXi Payloads: Acknowledging the widespread use of virtualized environments, Akira developed a Linux-based ransomware variant specifically for VMware ESXi servers. This payload was highly effective in targeting and disrupting the virtual infrastructures crucial to enterprise operations.
- The Megazord Variant: In August 2023, Akira introduced a new Windows payload written in Rust, a language known for its robustness and resistance to reverse engineering. This variant encrypted files with the “.powerranges” extension, marking a significant advancement in evasion tactics and technical sophistication.
- Akira v2: Akira v2 further refined its approach, utilizing Rust-based ransomware with enhanced encryption methods. This version specifically targeted critical enterprise files such as Exchange server databases (edb) and virtual hard disks (vhd), highlighting the group’s strategy of maximizing disruption and extortion potential. Researchers noted that the ransomware’s ability to selectively encrypt vital files made it especially dangerous in enterprise settings
Sophisticated Techniques and Tactics
Akira’s operations align with advanced tactics outlined in the MITRE ATT&CK Framework, underscoring the group’s technical sophistication throughout multiple stages of the attack lifecycle
- Initial Access: Akira exploits high-profile vulnerabilities such as CVE-2024-37085 (affecting VMware ESXi servers) and CVE-2024-40711 (impacting Veeam backup services). Additionally, the group utilizes compromised credentials obtained via Initial Access Brokers, demonstrating a multi-faceted approach to breaching target networks.
- Discovery: Akira conducts essential discovery and host reconnaissance by deploying tools like IP scanners and AdFind to query and gather information from the Active Directory environment. The group also identifies running processes, security tools and system language, primarily leveraging interactions with Microsoft’s APIs.
- Execution and Persistence: Akira deploys custom-built executables, such as w.exe and win.exe to encrypt files. Persistence is maintained by modifying registry keys or creating new domain accounts, ensuring control remains intact even if initial detection occurs.
- Lateral Movement: Using tools like Veeam-Get-Creds and AdFind, Akira extracts credentials and navigates Active Directory environments efficiently. This enables the group to expand its reach within targeted networks.
- Defense Evasion: Akira employs tactics to evade detection, such as detecting and avoiding debuggers and using encoding techniques like Base64 and obfuscation to conceal files and processes. In a recent update, Akira introduced a component that restricts execution in analysis environments using a unique Build ID.
- Data Exfiltration: Prior to encryption, Akira exfiltrates sensitive data using tools like Rclone and WinSCP. This data is later published on its leak site as part of a double-extortion strategy, pressuring victims to pay to prevent the public release of their stolen information.
Conclusion
As Akira ransomware continues to target organizations globally, it is crucial for companies to monitor their systems for signs of compromise and stay updated on the various active strains of Akira ransomware, including v2, Megazord and the latest variants. Following a significant increase in incidents per month after the first half of 2024, we anticipate this growth trend will persist into 2025
Impact
Akira’s ransomware campaigns have a devastating impact on organizations, causing financial losses through ransom payments, operational disruptions and reputational harm. The group’s double-extortion tactics, which combine encryption with data leaks, heighten the pressure on victims while exposing sensitive information. Its ability to target critical infrastructure and virtualized environments further amplifies the damage, leading to prolonged recovery times and escalating cybersecurity costs.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Initial Access, Discovery, Execution, Persistence, Lateral Movement, Defense Evasion, Impact |
| Technique Name | Inhibit System Recovery, Boot or Logon AutoStart Execution, Exploitation of Remote Services, User Execution, Windows Management Instrumentation, Command and Scripting Interpreter, Debugger Evasion, Obfuscated Files or Information, Exploit Public-Facing Application |
| Sub Technique Name | Registry Run Keys / Startup Folder, Malicious File, Powershell, Command Obfuscation |
| Attack Type | Ransomware |
| Targeted Applications | VMWare ESXi , Windows , Linux |
| Region Impacted | Canada , UK , Germany , United States |
| Industry Impacted | Financial services , Manufacturing , Education |
| IOC’s |
Hash Sha256: 95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a,
ccda8247360a85b6c076527e438a995757b6cdf5530f38e125915d31291c00d5,
87b4020bcd3fad1f5711e6801ca269ef5852256eeaf350f4dde2dc46c576262d, 2
8cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e,38
05f299d33ef43d17a5a1040149f0e5e2d5db57ec6f03c5687ac23db1f77a30, 2c7
aeac07ce7f03b74952e0e243bd52f2bfa60fadc92dd71a6a1fee2d14cdd77, 88da
2b1cee373d5f11949c1ade22af0badf16591a871978a9e02f70480e547b2, dfe6fd
dc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198, 0c0e0f9
b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d, abba655
df92e99a15ddcde1d196ff4393a13dbff293e45f5375a2f61c84a2c7b, c9c94ac5e1
991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0, 566ef5484da
0a93c87dd0cb0a950a7cff4ab013175289cd5fccf9dd7ea430739, 78d75669390e
4177597faf9271ce3ad3a16a3652e145913dbfa9a5951972fcb0, 988776358d0e4
5a4907dc1f4906a916f1b3595a31fa44d8e04e563a32557eb42, a546ef13e8a71a
8b5f0803075382eb0311d0d8dbae3f08bac0b2f4250af8add0
Sha1:
89d195f59bba9c3b43635607f9f1c3051645332c, 4549f715bfeab0477c816dc76
29b3d50963c4d23, a420fbd6cb9d10db807251564c1c9e1718c6fbc5, a129c2cff
13f7672e27f4c43608da2293e1b5bb7, a9364eedcc79a19fe96b2e016c27b4fa95
ddda52, 3d662851d460c93984c85c298fbc6491e2691d8b, 41323075a7dc590f
20a154f503e089d2dac2fd12, 8ad1b4ed98794e8f0a9a9d6fc161697974099d91,
8951e54fabdd4d8e424573e53a51e309203f6f41, f8425e27fb5340b4d50bdee18
00dcc428a7d388f, d8a6a358ddc57524d9b7db2241750f207f79917f, 1ff0c089c5
a3b93e95c337e7644119c7bd7133c6, 7144371d00217533f49e03d40f650f3349f
d04d1, 8c54708c13ee136463ceaa851d05ddd70acf22b4, c0aafc8c63d0bf3167
22968d1fe8f1d7637271cd
MD5:
241e9f85c45e5601e67bc64a46011471, 2a7a76cde7e970c06316e3ae4feadbe3
4aecef9ddc8d07b82a6902b27f051f34, 74d5d4e9a556a6170f19893e7ffdeffa,
0e98bfb0d8595ceb9a687906758a27ad, 9f801240af1124b66defcd4b4ae63f2a,
e57340a208ac9d95a1f015a5d6d98b94, 436c014614477e79696e838d6b605f4e,
fd380db23531bb7bb610a7b32fc2a6d5, 9df999f142f137b0794b8afcaaedc588,
56f673b1d3d65dce3ef3c8754098df04, f46623da78371b828f66b602c6487338,
b163803130f466db74f68a19f9cee11e, d68a565f1a5962ea081a212b2e7c36e2,
4b807353dfbeadaddb392627e27470f9
|
| CVE | CVE-2024-40711, CVE-2024-37085 |
Topics | Details |
|
|
Recommended Actions
- Implement Robust Patch Management: Regularly update and patch systems to address vulnerabilities, such as CVE-2024-37085 and CVE-2024-40711. Prioritize critical systems like VMware ESXi servers and backup solutions.
- Strengthen Access Controls: Use multi-factor authentication (MFA) for all critical systems and limit the use of shared or privileged accounts. Regularly review and remove unnecessary or inactive accounts.
- Enhance Network Segmentation: Isolate critical infrastructure, such as virtualized environments and backup systems, from primary networks to limit lateral movement by attackers.
- Implement Backup and Recovery Measures: Schedule regular backups, ensure they are tested and store them on a separate system or cloud environment. Backups should ideally be kept offline to prevent access during attacks.
- Monitor for Threat Indicators: Deploy endpoint detection and response (EDR) solutions to monitor suspicious activities, such as unusual file encryption, registry changes, or the use of credential harvesting tools like AdFind and Veeam-Get-Creds.
- Implement Data Exfiltration Prevention: Use tools to monitor and control outbound data transfers. Encrypt sensitive data to minimize its value if stolen.
- Train Employees on Cyber Hygiene: Provide regular training on recognizing phishing attempts, social engineering tactics and other methods used by ransomware operators to gain access.
- Develop and Test an Incident Response Plan: Prepare a comprehensive response strategy, including protocols for isolating infected systems, communicating with stakeholders and involving legal and cybersecurity experts. Regular tabletop exercises can ensure readiness.