Akira: Modern ransomware with a retro vibe

The Akira ransomware group emerged in March 2023 and quickly established itself as a formidable threat actor. Akira is a ransomware-as-a-service (RaaS) operation that targets multiple industries, primarily in the United States and allied countries. By January 1, 2024, Akira had “impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.”

Akira threat actors have stolen a lot of money, but their attacks are not always successful. Our security operations center recently detailed a failed Akira attack here. We'll use their report later when we explore the Akira attack chain.

Origin story

Akira’s story starts with the Conti ransomware group, which was conducting attacks from December 2019 through May 2022. Analysts believe Conti shutdown operations because of the fallout from the group’s support for Russia: 

In retaliation for this show of support, an unidentified actor leaked hundreds of Conti’s private files, revealing Bitcoin addresses, private messages, and the group's ransomware playbook. Conti never seemed to recover from the chaos. The group stopped its attacks in May 2022 and took its last website offline the following month. Using the leaked data and attack analysis, researchers have found a long list of evidence linking Akira to Conti. This relationship has not been confirmed, but many experts attribute Akira’s early success to its access to Conti resources and criminal expertise.

Unlike Conti, Akira has not pledged loyalty to Russia or allied countries. Akira communicates in Russian when using darkweb forums, and its ransomware includes safeguards to prevent execution on systems with a Russian language keyboard layout. Adding this evidence to the links with Conti suggests Akira has a connection to Russia, but it does not prove the group's location. It is also not enough evidence to confirm the group is of Russian origin. 

Branding

Researchers believe the name ‘Akira’ is inspired by the 1988 cyberpunk anime film of the same name, in which the titular character is an uncontrollable and disruptive force. The prevailing theory is that the group uses the name to portray itself in the same way.

The group has also adopted a retro green-screen terminal aesthetic for its leak site, which uses a command-line interface (CLI) for navigation and communications, and only accepts five commands. 

This simplicity and vintage look belie the fact that Akira is a very sophisticated and aggressive group.

Motivation

Akira’s sole focus is money. The group targets businesses small-to-medium-size (SME) companies, though there have been some well-known larger victims like Nissan and Stanford University. 

The group allows attacks on all sectors, though manufacturing and critical infrastructure seem to be their favorites.

Attack chain

The Akira attack chain details the sequence of events and tools that are used in an attack, from initial access through data exfiltration and encryption. We’re going to use our recent battle with Akira to see how Akira uses its attack chain in an actual attack against a victim with only partial defenses.

Initial access:

Barracuda SOC experts found several pre-existing areas of risk present in the victim network, including an open VPN channel, unprotected devices, and inconsistent use of multi-factor authentication (MFA) These conditions were directly relevant to the attack, starting with the initial access through the VPN.

Privilege escalation and lateral movement

This is an early ‘post-infection’ step in most attack chains, as threat actors attempt to maximize their reach within the victim network. In our case, Akira used a ‘pass-the-hash’ technique to gain access to password protected network systems. If you’re unfamiliar with password hashes, here’s a good introductory video.

The next step documented by the Barracuda SOC was the execution of Advanced IP Scanner, which is a free and legitimate software tool that will list devices on a network. This is used to find network assets and establish lateral movement.

Defense evasion

Akira’s defense evasion techniques rely on a mix of resources to disable endpoint security and antivirus solutions.

• PowerTool, KillAV, and Terminator are programs used to terminate antivirus-related processes.
• PowerShell commands are used to disable Microsoft Defender Real-Time Protection. PowerShell is also used to delete Volume Shadow Copy Services (VSS) files prior to encryption.
• Registry modifications disable or reconfigure Microsoft Defender. Other edits include a Userlist registry modification to hide accounts on the login screen, and a DisableRestrictedAdmin registry modification to allow login without credentials.

Barracuda XDR Endpoint Security has anti-tampering capabilities that prevented the attack from disabling or reconfiguring its protection.

Data exfiltration and encryption

Alongside the evasion efforts, Akira started running WinRar to compress the data it intends to steal from the victim. The data is usually exfiltrated using methods that mimic legitimate traffic. During this event, Akira successfully gained administrator-level access on an unprotected server. This allowed them to launch their encryption attack.

The ransomware attempted to remotely encrypt the network devices that could be reached from the unprotected server. Barracuda XDR detected this immediately and disconnected all protected endpoints from the network.

Barracuda XDR was not deployed across the victim's entire network, and internal security policies were not consistently enforced. You can read about the aftermath and lessons learned here. 

Negotiations

In a successful attack, Akira will drop a ransom note with instructions to contact the group. This allows Akira to prove its claims and demand a ransom. Here’s an example of a ransom demand:

We're willing to set a $250,000 price for ALL the services we offer: 1) full decryption assistance; 2) evidence of data removal; 3) security report on vulnerabilities we found; 4) guarantees not to publish or sell your data; 5) guarantees not to attack you in the future. Let me know whether you're interested in a whole deal or in parts. This will affect the final price.

We all know that no one should pay a ransom, but we also know that sometimes ransoms are paid. However, unless Akira changes practices, there will never be a reason to pay for the Akira security report 'service.' 

Initial access to your network was purchased on the dark web. Then kerberoasting was carried out and we got passwords hashes. Then we just bruted these and got domain admin password.

This is a copy/paste statement used in all the negotiation chats available here, and it's followed by a list of best practices. Akira will not tell provide any information on vulnerabilities, compromised credentials, or where the credentials were purchased. There's nothing unique to the victim in this report. If you're in negotiation with Akira, consider this and review the latest available negotiation chats prior to paying for this report.

If the victim does not pay the ransom, Akira sends a message like this:

You can find yourself in our news column: https://akiral2iz6a7qgd3ayp3l6yub7xx2uep .... [redacted] If you want this post to be removed, we have to agree at something.

Conclusion

There is truly no reason to fall victim to an Akira attack. This is a dangerous group, but it relies on security gaps that are often closed with best practices. If you do fall victim to Akira, review this information to help you prepare for negotiations.

Barracuda Managed XDR and SOC provide comprehensive, layered defenses with integrated and extended visibility. It offers a fierce defense against advanced threats like Akira, and it’s easy to buy, deploy, and manage.

For more information:

• The SOC case files: XDR catches Akira ransomware exploiting ‘ghost’ account and unprotected server
• Barracuda Managed XDR and SOC.