This article was made possible thanks to contributions from Aaron Gdanski.

IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.

The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored by the Cybersecurity and Infrastructure Security Agency’s (CISA) recent Cybersecurity Advisory on the group and the hundreds of victims Akira ransomware actors have claimed across multiple industries and geographies.

Akira threat actors employ a double extortion scheme involving both exfiltration of data and enterprise-wide encryption. Akira affiliates demand a ransom payment to prevent the group from publishing files on their onion site and receiving a decryption key to recover files affected. The group’s name appears to be allusive to the plot of a 1988 anime movie with the same name.

Key takeaways

• Akira ransomware uses the following strings, which can be used for detection:
  • Windows Akira
    • *.akira
    • akira_readme.txt
    • Log-<Day>-<Month>-<Year>-<Hour>-<Minute>-<Second>.txt
    • powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject”
  • Linux Akira
    • *.akira
    • akira_readme.txt
• Akira ransomware actors are frequently exploiting CVE-2023-20269 to gain initial access to victim networks
• Vulnerability management, password management and staying appraised of dark web threats can help organizations harden defenses against Akira ransomware

Active on the dark web

Akira ransomware actors have deployed two sites on the dark web—both are .onion locations mentioned in the ransom note left by Akira after each attack. The sites are stylized in a way that hearkens back to ARPANET in the early 1980s.

The first site includes general information about the ransomware group, advertises stolen records from the group’s victims, includes news about potential data releases and identifies ways to contact the group.

Figure 1: Akira ransomware .onion dark web name-and-shame site (Source: X-Force dark web research)

The second site is used for negotiations. To access this site, a user needs to input a password included in the ransom note as a unique identifier.

Figure 2: Akira ransomware .onion dark web negotiations portal (Source: X-Force dark web research)

After gaining access, the negotiation portal displays a message telling the victim that the Akira group is preparing a sample of stolen data from the victim organization. This process may be manual for the threat actor, based on the amount of time it appears to take. Once ready, the threat group will attach a file that includes a list of folders and files exfiltrated during the operation in an effort to prove to the victim that Akira actors stole authentic files before encryption occurred.

Figure 3: Akira support chat within dark web negotiations portal (Source: Lab539)

An optimal access vector: CVE-2023-20269

After CVE-2023-20269 was disclosed in early September 2023, Akira ransomware threat actors have capitalized widely on exploiting this vulnerability in the wild. CVE-2023-20269 affects virtual private network (VPN) features of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD), allowing unauthorized remote attackers to conduct brute force attacks against existing accounts.

A suite of tools

After initial access, the group employs a variety of tools and malware for reconnaissance, data exfiltration, lateral movement and specially crafted scripts to spread the ransomware binary across the network.

Figure 4: Suite of tools used by Akira ransomware actors (Source: X-Force)

Unlike some ransomware families with worm behavior modules for propagation or replication without human interaction, Akira ransomware requires an active procedure to spread the infection within networks. Common options are the use of domain controller policies if the threat actor has reached this level of access or the use of features embedded in the Akira binary triggered by batch or bash scripts.

X-Force has observed Akira ransomware actors use batch scripts with the following pattern after completing reconnaissance activities:

“start akira_binary.exe  -remote -n=3 -p=\\xx.xx.xx.xx\C$”

• The start command is used to create a new instance of and consequently, a new process thread to execute each instruction independently
• In many cases, the binaries found have been specially crafted by the threat actor and their IOCs had not been seen previously in any threat intelligence feeds
• The argument with -p is fed with the different IP targets and drives mapped locations to be encrypted
• The threat actor appears to be using existing operating features to make the activity appear legitimate

The Akira ransomware binary creates a text file located in the current directory where the execution took place.

Malware analysis of Akira ransomware

IBM X-Force has analyzed both Windows and Linux binaries for Akira ransomware. The Linux and Windows versions of Akira function similarly with the main difference being the libraries used to support cryptographic operations. Akira appends .akira to the filename of encrypted files and drops a ransom note to each directory where files are encrypted. The ransom note contains a TOR link and a code that the victim can use to log on to a chat system to negotiate the ransom.

In one instance, the Akira ransomware file was compiled at the end of December 2023, particularly 2023-12-28 14:49:57 UTC, and developed in C++.

Figure 5: Date time stamp for Akira ransomware compilation—December 28, 2023 (Source: X-Force)

Upon execution, Akira Ransomware will create a log file in the current directory.  The filename of the log file is based on the current local time of the system, in the following format: “Log-<Day>-<Month>-<Year>-<Hour>-<Minute>-<Second>.txt”.  If an error occurs while encrypting a file, Akira will write an error message to the log file.  Additional information regarding the program’s command line parameters is also written in the log file.  Once the log file is created, Akira will begin parsing its command line arguments.  The following command line arguments are accepted by the Windows version of Akira:

Figure 6: Command line arguments used by Akira ransomware (Source: X-Force)

Once command line arguments are parsed, Akira will delete all shadow copies using the Powershell command: “powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject””.  This command is executed using Component Object Model (COM) objects to prevent detection.  Additionally, Akira may attempt to kill processes with the following names:

Figure 7: Processes Akira ransomware attempts to kill (Source: X-Force)

Once these processes are killed, Akira will begin encryption.  Files are encrypted using ChaCha20 or KCipher-2.  Files larger than 2MB will be encrypted in blocks, while smaller files will be encrypted based on the encryption percentage provided in the command line arguments.  By default, 50% of every file smaller than 2MB is encrypted.  Each encrypted file is given a .akira extension. Akira will not encrypt files with any of the following extensions:

• .exe
• .dll
• .lnk
• .sys
• .msi

The Linux version of Akira uses the same list of directories and file extensions as the Windows version that it uses to filter targeted files even though they are found on Windows systems instead of Linux. Akira will not encrypt any files within the following folders:

• tmp
• winnt
• temp
• thumb
• $Recycle.Bin
• $RECYCLE.BIN
• System Volume Information
• Boot
• Windows
• Trend Micro

Defending against Akira ransomware

Organizations can take several steps to harden defenses against Akira ransomware. While there is no guaranteed approach to prevent a ransomware attack—including from Akira threat actors—implementing these measures can make it harder for Akira attackers to employ their preferred techniques:

• Vulnerability management
  • Implement a proactive and regular patching process to ensure that all known vulnerabilities are addressed in a timely manner. This includes installing relevant security patches to mitigate vulnerabilities such as CVE-2023-20269.
• Password management & multifactor authentication
  • The 2024 X-Force Threat Intelligence Index identified a 71% surge in the use of valid credentials as an initial infection vector from the year prior. Given this trend, it is imperative to constantly force credential renewals and implement multifactor authentications for all services to the extent possible, particularly for webmail, virtual private networks and similar channels and accounts that access critical systems.
•  Perform continuous searches in illegal markets
  • • The deep web is a rich environment for threat actors to acquire credentials and log information from infostealers. Proactively monitoring these sources can reduce the likelihood of breaches and intrusions in your enterprise. IBM X-Force has this monitoring as part of its Vision Retainer services.
• Feed host/network-based solutions with IOCs
  • Indicators of Compromise (IOCs) included at the end of this article can be used to detect Akira ransomware on a network.

In addition to the above, X-Force recommends taking advantage of proactive and remedial actions provided by CISA in its April 18 report.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.