Akira (Ransomware Group) – Threat Actor

Overview

The Akira Group has emerged as a notable player in the ransomware landscape since its operations began in March 2023. Characterized by a unique retro aesthetic on their data leak site, this group quickly gained attention for its sophisticated and aggressive approach to cyber extortion. Utilizing multi-extortion tactics, the Akira Group not only encrypts victims’ data but also threatens to release sensitive information on their TOR-based website if ransom demands are not met. This layered approach intensifies the pressure on victims, often leading to significant financial losses. Targeting a diverse range of sectors, including education, finance, manufacturing, real estate, and healthcare, the Akira Group does not discriminate when it comes to selecting its victims. Their operations are marked by a striking lack of specificity, as they primarily focus on large enterprises, leveraging vulnerabilities in public-facing applications and services to gain initial access. This indiscriminate targeting has raised alarms across industries, as organizations scramble to bolster their defenses against this evolving threat. Technically, the Akira Group employs a series of sophisticated methods to infiltrate systems, often exploiting weaknesses in multi-factor authentication (MFA) and known vulnerabilities in Virtual Private Network (VPN) software. Once inside, they use advanced tools and techniques to move laterally within the network, dumping credentials and escalating privileges as necessary. The group has gained notoriety for its use of PowerShell commands to execute critical ransomware payloads, remove volume shadow copies, and encrypt files, all while employing clever evasion tactics to avoid detection.

Initial Access

The initial foothold on the system is obtained via several methods. Multi-factor authentication (MFA) exploitation (i.e. CVE-2023-20269) is mostly used in observed campaigns, along with known vulnerabilities in public facing services, such as RDP. Spear phishing is also used to gain a foothold, which is generally more effective than plain phishing, as it’s addressed to a specific user (group) and/or a relevant theme for the recipient(s).

Escalation and Lateral Movement

To escalate privileges and/or move laterally, LSASS dumps are used. Additionally, or alternatively, RDP is used to connect to other machines within the network while moving laterally. Other tools used are PCHunter64, LaZagne, and Mimikatz.

Data Collection and Exfiltration

Once the actors are in the system, data is exfiltrated by the actor. This way, the victim can be extorted twice: once to recover encrypted files, and once to ensure the stolen data is not made available publicly on the Akira extortion blog. To upload the gathered files, RClone, WinSCP, and FileZilla have been observed in use.

MITRE ATT&CK Techniques

T1003.001 OS Credential Dumping: LSASS Memory T1048 Exfiltration Over Alternative Protocol T1021.001 Remote Services: Remote Desktop Protocol T1059.001 Command and Scripting Interpreter: PowerShell T1106 Native API T1190 Exploit Public-Facing Application T1486 Data Encrypted for Impact T1490 Inhibit System Recovery T1566 Phishing T1584 Compromise Infrastructure

References:

• Akira
• Akira Ransomware