Akira Ransomware Technical Analysis and MITRE ATTACK TTPs Latest
Analysis of Akira Ransomware and MITRE ATT&CK TTPs
Initial Access:
- T1078 Valid Accounts & T1133 External Remote Services: Akira ransomware actors obtain valid credentials through brute force attacks or Initial Access Brokers (IABs). These credentials are then used to access target networks via Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services, establishing both initial and persistent access.
- T1190 Exploit Public Facing Applications: Akira operators exploit known vulnerabilities in Cisco systems, such as CVE-2023-20269 (CVSS Score: 9.1) and CVE-2020-3259 (CVSS Score: 7.5), gaining initial access through unpatched Cisco ASA appliances.
- T1566 Phishing: Phishing emails containing malicious links or attachments are used by Akira operators to trick users into compromising their systems.
Execution:
- T1047 Windows Management Instrumentation: Akira deletes volume shadow copies via Windows Management Instrumentation (WMI) to obstruct file recovery.
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"- T1059.001 Command and Scripting Interpreter: PowerShell: Akira uses PowerShell scripts such as Veeam-Get-Creds to extract and decrypt credentials from Veeam servers and Kerberos TicketDumper to dump Kerberos tickets from the LSA cache.
- T1059.003 Command and Scripting Interpreter: Windows Command Shell: Commands used by Akira for system discovery include:
// T1018 Remote System Discovery
nltest /dclist:<domain_name>
// T1057 Process Discovery
tasklist
// T1069 Permission Groups Discovery
net group “Domain admins” /domain
net localgroup “Administrators” /domain
// T1482 Domain Trust Discovery
nltest /domain_trustsPersistence:
- T1136.002 Create Account: Domain Account: Akira creates new domain accounts to maintain access, occasionally naming these accounts with administrative privileges, such as itadm.
Defense Evasion:
- T1562.001 Impair Defenses: Disable or Modify Tools: Akira exploits the Zemana AntiMalware driver through PowerTool to disable antivirus software, employing the Bring Your Own Vulnerable Driver (BYOVD) technique.
Credential Access:
- T1003 OS Credential Dumping: Akira uses tools like Mimikatz and LaZagne to extract credentials from LSASS memory, using the following command:
rundll32.exe c:\Windows\System32\comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:\Windows\temp\lsass.dmp full- T1555.003 Credentials from Password Stores: Credentials from Web Browsers: Credentials from browsers are extracted using commands that leverage esentutl.exe:
// Dumping credentials from Google Chrome
esentutl.exe /y “[Path_to_Chrome_Cred_Stores]\Login Data" /d "[Path_to_Chrome_Cred_Stores]\Login Data.tmp”
// Dumping credentials from Mozilla Firefox
esentutl.exe /y “[Path_to_Firefox_Cred_Stores]\key4.db" /d “[Path_to_Firefox_Cred_Stores]\key4.db.tmp”Collection:
- T1560 Archive Collected Data: Akira segments and compresses stolen data using WinRAR before exfiltration for double extortion.
Command and Control (C2):
- T1090 Proxy: Ngrok is utilized to establish secure tunnels for data exfiltration.
- T1219 Remote Access Software: Akira employs various remote desktop tools, including AnyDesk, Cloudflare Tunnel, MobaXterm, Ngrok, and RustDesk, to access compromised systems.
Exfiltration:
- T1048 Exfiltration Over Alternative Protocol & T1537 Transfer Data to Cloud Account: Akira exfiltrates data using tools like FileZilla, WinSCP, and rclone over protocols such as FTP, SFTP, and through cloud services.
Impact:
- T1486 Data Encrypted for Impact: Akira encrypts files with payloads that use a hybrid encryption scheme combining the ChaCha20 stream cipher with RSA. Encrypted files receive extensions such as .akira, .powerranges, or .akiranew.
- T1490 Inhibit System Recovery: Akira uses the following command to delete volume shadow copies and hinder file recovery:
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"How Akira Decryptor Helps Simulate Akira Ransomware Attacks:
To effectively test the resilience of your security controls against Akira ransomware, simulating these attacks is crucial. The Akira Decryptor platform offers robust simulation capabilities to evaluate defenses against this.
The Akira Decryptor Threat Library includes:
| Threat ID | Threat Name | Attack Module |
|---|---|---|
| 84668 | Akira Ransomware Download Threat | Network Infiltration |
| 55812 | Akira Ransomware Email Threat | Email Infiltration (Phishing) |
| 37780 | Megazord Ransomware Download Threat | Network Infiltration |
| 92400 | Megazord Ransomware Email Threat | Email Infiltration (Phishing) |
Additionally, the Akira Decryptor Mitigation Library provides prevention signatures to address Akira ransomware and other variants. Validated signatures for Akira ransomware include:
| Security Control | Signature ID | Signature Name |
|---|---|---|
| Check Point NGFW | 0D0FC5542 | Ransomware.Win32.Akira.TC.a77avEjG |
| Check Point NGFW | 0CEDE557A | Ransomware.Win32.Akira.TC.eec5NsKn |
| Check Point NGFW | 0CFD4BD86 | Ransomware.Win32.Akira.TC.a5f8yZDg |
| Check Point NGFW | 0E0BEF9A4 | Ransomware.Win32.Akira.TC.0e05wZMS |
| Check Point NGFW | 0A2E01186 | Ransomware.Win32.Akira.TC.ea38rili |
| Check Point NGFW | 0C5DE6DD1 | Ransomware.Win32.Akira.TC.4b33iwYh |
| Cisco FirePower | W32.Auto:3c92bf.in03.Talos | |
| Cisco FirePower | W32.Auto:7b295a.in03.Talos | |
| Cisco FirePower | W32.Auto:1b6af2.in03.Talos | |
| Cisco FirePower | W32.Auto:678ec8.in03.Talos | |
| Forcepoint NGFW | File_Malware-Blocked | |
| Fortigate AV | 10143171 | Linux/Filecoder_Akira.A!tr |
| Fortigate AV | 10133803 | W64/Generik.NFLQ!tr.ransom |
| Trellix | 0x4840c900 | MALWARE: Malicious File Detected by GTI |
| Palo Alto | 588177441 | Ransom/Win32.akira.b |
| Palo Alto | 595008162 | ransomware/Linux.akira.d |
Evaluate and enhance your security posture by simulating attacks with the Akira Decryptor platform. Start your trial today for comprehensive threat testing and mitigation.