- 153/2023
- High
Akira ransomware operation has increased its activity recently and first emerged in April 2023 targeting finance, education, real estate, manufacturing, and consulting sectors organizations around the world. Akira is based on the source code of Conti ransomware.
Akira is a ransomware written in C++ that encrypts local files. Encrypted files have the extension “.akira” appended to the filename, and a ransom note is written to every folder with encrypted files.
Akira ransomware group has released a new version of the ransomware operation that uses a Linux encryptor to encrypt VMware ESXi virtual machines in doubleextortion attacks against companies worldwide.
The Tactics and Techniques of Akira Ransomware:
Initial Access:
- The threat actor uses valid credentials to gain access to the organization’s network and execute the ransomware.
- Security researchers have noticed that the threat actor may leverage external-facing remote services to initially access such as VPNs, Citrix, and other access mechanisms to connect to the internal enterprise network to execute Akira ransomware.
Credential Access:
- Security researchers identified the abuse of the Local Security Authority Subsystem Service (LSASS) process as the threat actor dump the mentioned process locally in the file “C:\Windows\MEMORY.DMP” to access credentials stored in the process memory.
Discovery:
- The threat actor starts the discovery process using a “dir” command to list files in the directory to gather information about the filesystem additionally, they employed the PCHunter64 tool to acquire detailed process and system information.
Lateral Movement:
- Security researchers discovered that threat actors utilized misconfigured Remote Desktop Protocol (RDP) settings to move freely across the network without any restrictions.
Defence Evasion:
- Security researchers identified that threat actors modify and stop the windows defender to evade detection and use PowerShell commands to clear the artifacts.
Command and Control:
- The threat actor uses compromised privileged accounts to install WinRAR software to compress collected data before exfiltration.
- Security researchers discovered the use of AnyDesk, Radmin, and Cloudflare’s freely available tunneling software to receive the commands from the C2 server.
Impact:
- The Threat actor uses the batch file “C:\ProgramData\Update.bat” to execute the ransomware binary “dllhost32.exe”.
- The ransomware binary “dllhost32.exe” use “Microsoft Enhanced RSA and AES Cryptographic Provider” and various functions from the CryptoAPI to encrypt the data.
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents.
Mitigations
- Search for existing signs of the indicated IOCs in your environment.
- Block IOCs at the organization’s security devices.
- Enable machine learning, active adversary mitigations, and behavioral detection in endpoint security.
- Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
- Develop and implement a patching policy and baseline configuration standards for the operating system.
- Conduct cybersecurity awareness training for End- users.
- Ensure anti-virus software and associated files are up to date.
- Setup an alert on events when the AV agent loses the connection with the main panel.
- Implement application whitelisting, which only allows systems to execute programs known and permitted by the organization’s security policy.
- Backup your data using different backup destinations including Tape drives.