The Akira ransomware group has been identified as a highly prolific and financially successful threat actor, having generated over $244 million in illicit proceeds from its malicious activities. This updated intelligence comes from a joint advisory issued by government agencies across the US, France, Germany, and the Netherlands. Active since at least March 2023, Akira originally gained notoriety for deploying a specialized ransomware variant targeting VMware ESXi servers, focusing their attacks on businesses and critical infrastructure across North America, Europe, and Australia. The sheer scale of their financial success underscores the significant and ongoing threat they pose to the international digital landscape.
This year has marked a considerable expansion of the group’s operational scope and technical toolkit. While continuing its core activities, Akira was recently observed deploying a new variant tailored for Nutanix Acropolis Hypervisor (AHV) environments. Furthermore, the threat actors significantly broadened their initial access capabilities by exploiting a critical vulnerability in SonicWall firewalls ($CVE-2024-40766$) and four other vulnerabilities impacting software from Cisco, Windows, VMware, and Veeam Backup & Replication. Initial access is also frequently achieved through non-exploit methods, including the use of access brokers, brute-forcing VPN endpoints, and deploying tools like SharpDomainSpray for targeted password spraying across targeted domains.
Once inside a victim’s network, the Akira operators employ a highly sophisticated and multi-staged approach to network compromise. They leverage well-known remote access tools such as AnyDesk and LogMeIn for persistent access, execute discovery commands using tools like nltest and Impacket’s wmiexec.py, and utilize tunnelling services like Ngrok for command-and-control (C&C) server communication. A critical step in their process involves evading detection by uninstalling Endpoint Detection and Response (EDR) products and establishing persistence by creating new, highly-privileged user accounts, often added directly to the administrator group.
The advisory also highlighted the group’s advanced techniques for escalating privileges and stealing sensitive credentials. The threat actors were observed exploiting specific vulnerabilities in Veeam services and demonstrating a highly sophisticated method for bypassing Virtual Machine Disk (VMDK) file protection. In a reported incident, they temporarily powered down a domain controller’s VM, copied the VMDK files, and attached them to a new VM to successfully extract the NTDS.dit file and the SYSTEM hive. This sequence of actions effectively allowed them to compromise a highly privileged domain administrator’s account, giving them complete control over the environment.
The final stages of the attack often occur rapidly, with the group capable of exfiltrating significant amounts of victim data within as little as two hours of initial network access. Following data theft, the Akira ransomware is executed to encrypt the victim’s files, appending various extensions such as .akira, .powerranges, .akiranew, or .aki. The attack concludes with the deployment of ransom notes placed in the root directory and user home directories, demanding payment for decryption and promising not to publish the stolen data.
Reference:
