This article was made possible thanks to contributions from Aaron Gdanski.

IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.

The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored by the Cybersecurity and Infrastructure Security Agency’s (CISA) recent Cybersecurity Advisory on the group and the hundreds of victims Akira ransomware actors have claimed across multiple industries and geographies.

Akira threat actors employ a double extortion scheme involving both exfiltration of data and enterprise-wide encryption. Akira affiliates demand a ransom payment to prevent the group from publishing files on their onion site and receiving a decryption key to recover files affected. The group’s name appears to be allusive to the plot of a 1988 anime movie with the same name.

Key takeaways

  • Akira ransomware uses the following strings, which can be used for detection:
    • Windows Akira
      • *.akira
      • akira_readme.txt
      • Log-<Day>-<Month>-<Year>-<Hour>-<Minute>-<Second>.txt
      • powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”
    • Linux Akira
      • *.akira
      • akira_readme.txt
  • Akira ransomware actors are frequently exploiting CVE-2023-20269 to gain initial access to victim networks
  • Vulnerability management, password management and staying appraised of dark web threats can help organizations harden defenses against Akira ransomware

Active on the dark web

Akira ransomware actors have deployed two sites on the dark web—both are .onion locations mentioned in the ransom note left by Akira after each attack. The sites are stylized in a way that hearkens back to ARPANET in the early 1980s.

The first site includes general information about the ransomware group, advertises stolen records from the group’s victims, includes news about potential data releases and identifies ways to contact the group.

Figure 1: Akira ransomware .onion dark web name-and-shame site (Source: X-Force dark web research)

The second site is used for negotiations. To access this site, a user needs to input a password included in the ransom note as a unique identifier.

Figure 2: Akira ransomware .onion dark web negotiations portal (Source: X-Force dark web research)

After gaining access, the negotiation portal displays a message telling the victim that the Akira group is preparing a sample of stolen data from the victim organization. This process may be manual for the threat actor, based on the amount of time it appears to take. Once ready, the threat group will attach a file that includes a list of folders and files exfiltrated during the operation in an effort to prove to the victim that Akira actors stole authentic files before encryption occurred.

Figure 3: Akira support chat within dark web negotiations portal (Source: Lab539)

Read the Threat Intelligence Index

An optimal access vector: CVE-2023-20269

After CVE-2023-20269 was disclosed in early September 2023, Akira ransomware threat actors have capitalized widely on exploiting this vulnerability in the wild. CVE-2023-20269 affects virtual private network (VPN) features of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), allowing unauthorized remote attackers to conduct brute force attacks against existing accounts.

A suite of tools

After initial access, the group employs a variety of tools and malware for reconnaissance, data exfiltration, lateral movement and specially crafted scripts to spread the ransomware binary across the network.

MITRE ATT&CK Tactic

Tools used by Akira Ransomware Affiliates

Discovery

Advanced IP Scanner

SoftPerfect Network Scanner

Credential Access

Potentially use of Remote Desktop Protocol (RDP) Brute Force tools (Hydra and similar)

Command and Control (C2)

AnyDesk

Exfiltration

Rclone

FileZilla

Scroll to view full table

Figure 4: Suite of tools used by Akira ransomware actors (Source: X-Force)

Unlike some ransomware families with worm behavior modules for propagation or replication without human interaction, Akira ransomware requires an active procedure to spread the infection within networks. Common options are the use of domain controller policies if the threat actor has reached this level of access or the use of features embedded in the Akira binary triggered by batch or bash scripts.

X-Force has observed Akira ransomware actors use batch scripts with the following pattern after completing reconnaissance activities:

“start akira_binary.exe  -remote -n=3 -p=\\xx.xx.xx.xx\C$”

  • The start command is used to create a new instance of and consequently, a new process thread to execute each instruction independently
  • In many cases, the binaries found have been specially crafted by the threat actor and their IOCs had not been seen previously in any threat intelligence feeds
  • The argument with -p is fed with the different IP targets and drives mapped locations to be encrypted
  • The threat actor appears to be using existing operating features to make the activity appear legitimate

The Akira ransomware binary creates a text file located in the current directory where the execution took place.

Malware analysis of Akira ransomware

IBM X-Force has analyzed both Windows and Linux binaries for Akira ransomware. The Linux and Windows versions of Akira function similarly with the main difference being the libraries used to support cryptographic operations. Akira appends .akira to the filename of encrypted files and drops a ransom note to each directory where files are encrypted. The ransom note contains a TOR link and a code that the victim can use to log on to a chat system to negotiate the ransom.

In one instance, the Akira ransomware file was compiled at the end of December 2023, particularly 2023-12-28 14:49:57 UTC, and developed in C++.

Figure 5: Date time stamp for Akira ransomware compilation—December 28, 2023 (Source: X-Force)

Upon execution, Akira Ransomware will create a log file in the current directory.  The filename of the log file is based on the current local time of the system, in the following format: “Log-<Day>-<Month>-<Year>-<Hour>-<Minute>-<Second>.txt”.  If an error occurs while encrypting a file, Akira will write an error message to the log file.  Additional information regarding the program’s command line parameters is also written in the log file.  Once the log file is created, Akira will begin parsing its command line arguments.  The following command line arguments are accepted by the Windows version of Akira:

Argument

Functionality

-p, –encryption_path

Instructs the ransomware to encrypt a certain directory path recursively.

-s, –share_file

Used to specify additional paths to encrypt.  Appears to be specifically intended for network shares.

-n, –encryption_percent

Used to specify what percentage of each file should be encrypted. (For files under 2MB, the default is 50%.  Larger files use intermittent encryption by default.)

-localonly

Instructs Akira to only encrypt files on the local device.

-l

Instructs Akira to write a list of all connected drives to the log file.  Execution is terminated once complete.

-remoteonly

Parameter has no functionality.

Scroll to view full table

Figure 6: Command line arguments used by Akira ransomware (Source: X-Force)

Once command line arguments are parsed, Akira will delete all shadow copies using the Powershell command: “powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject””.  This command is executed using Component Object Model (COM) objects to prevent detection.  Additionally, Akira may attempt to kill processes with the following names:

spoolsv.exe

explorer.exe

sihost.exe

frontdrvhost.exe

dwm.exe

LogonUI.exe

SearchUI.exe

lsass.exe

csrss.exe

smss.exe

winlogon.exe

services.exe

conhost.exe

System

System Idle Process

Secure System

Registry

Memory Compression

wininit.exe

Scroll to view full table

Figure 7: Processes Akira ransomware attempts to kill (Source: X-Force)

Once these processes are killed, Akira will begin encryption.  Files are encrypted using ChaCha20 or KCipher-2.  Files larger than 2MB will be encrypted in blocks, while smaller files will be encrypted based on the encryption percentage provided in the command line arguments.  By default, 50% of every file smaller than 2MB is encrypted.  Each encrypted file is given a .akira extension. Akira will not encrypt files with any of the following extensions:

  • .exe
  • .dll
  • .lnk
  • .sys
  • .msi

The Linux version of Akira uses the same list of directories and file extensions as the Windows version that it uses to filter targeted files even though they are found on Windows systems instead of Linux. Akira will not encrypt any files within the following folders:

  • tmp
  • winnt
  • temp
  • thumb
  • $Recycle.Bin
  • $RECYCLE.BIN
  • System Volume Information
  • Boot
  • Windows
  • Trend Micro

Defending against Akira ransomware

Organizations can take several steps to harden defenses against Akira ransomware. While there is no guaranteed approach to prevent a ransomware attack—including from Akira threat actors—implementing these measures can make it harder for Akira attackers to employ their preferred techniques:

  • Vulnerability management
    • Implement a proactive and regular patching process to ensure that all known vulnerabilities are addressed in a timely manner. This includes installing relevant security patches to mitigate vulnerabilities such as CVE-2023-20269.
  • Password management & multifactor authentication
    • The 2024 X-Force Threat Intelligence Index identified a 71% surge in the use of valid credentials as an initial infection vector from the year prior. Given this trend, it is imperative to constantly force credential renewals and implement multifactor authentications for all services to the extent possible, particularly for webmail, virtual private networks and similar channels and accounts that access critical systems.
  •  Perform continuous searches in illegal markets
      • The deep web is a rich environment for threat actors to acquire credentials and log information from infostealers. Proactively monitoring these sources can reduce the likelihood of breaches and intrusions in your enterprise. IBM X-Force has this monitoring as part of its Vision Retainer services.
  • Feed host/network-based solutions with IOCs
    • Indicators of Compromise (IOCs) included at the end of this article can be used to detect Akira ransomware on a network.

In addition to the above, X-Force recommends taking advantage of proactive and remedial actions provided by CISA in its April 18 report.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

Indicator

Indicator Type

Context

*.akira

File Name

Appendage to filenames left after encryption is complete

akira_readme.txt

File Name

Name of text file left after encryption

Log-<Day>-<Month>-<Year>-<Hour>-<Minute>-<Second>.txt

File Name

Name of log file left after encryption

powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”

 

Process Name

Powershell command for removing shadow copy objects, used to remove potential backup files

Scroll to view full table

More from X-Force

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today