Analysis Summary

Akira ransomware is a sophisticated cyber threat that first emerged in March 2023 and operates under a Ransomware-as-a-Service (RaaS) model. It allows affiliates to conduct ransomware attacks by encrypting and stealing data from victim organizations. The group behind Akira is believed to have ties to the defunct Conti ransomware gang, based on overlapping techniques, infrastructure, and ransom payment patterns. Akira initially targeted Windows systems with its original C++ variant, but it quickly evolved, releasing a Linux variant in April 2023 aimed at VMware ESXi systems, followed by a Rust-based version called “Megazord” and a more advanced variant known as Akira_v2.

The ransomware has been used to target various sectors including healthcare, education, manufacturing, finance, construction, and legal services. It has been particularly active in North America, Europe, and Australia. Akira’s attack methodology involves exploiting VPN vulnerabilities—particularly those lacking multi-factor authentication—and using tools like Mimikatz, LaZagne, and Advanced IP Scanner for lateral movement and credential harvesting. Once inside a network, it exfiltrates sensitive data before encrypting files using strong encryption methods like ChaCha20 and RSA. Victims are then extorted under the threat of public data leaks unless a ransom—ranging from $200,000 to several million—is paid.

As of early 2024, Akira has affected over 250 organizations and is estimated to have earned more than $42 million in ransom payments. Notable victims include Stanford University, Nissan Australia, Tietoevry, and the Toronto Zoo. Akira’s consistent evolution and aggressive targeting make it a major concern for cybersecurity professionals, emphasizing the need for strong defenses such as multi-factor authentication, timely patching, and comprehensive incident response strategies.

Impact

• Lateral Movement
• Data Exfiltration
• Credential Theft
• Financial Loss

Indicators of Compromise

SHA1

• 52955e992cb4de57b0c59a9964697a34be595069
• a8b3742858cca75f1748607fc1360b483b5acfcd
• 24f46dba6e51270a28ce70d065d5ab67c42ffee8
• 018ee8a28c2c5b60fc2b59e75f4148f9831969fa
• 9a35f3f86491a44f8427c98fb5177dc6be9e858d
• ab0365de87cd4598c61ca35b5a4b7b15727d4819
• f239a804f657bf3e7859e90f9cfd1d2c97d4b084

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Disconnect infected devices from the internet and local networks immediately to prevent the ransomware from spreading.
• Do not pay the ransom, paying does not guarantee file recovery and may encourage further attacks.
• Use reputable antivirus or anti-malware software to detect and remove the ransomware from your system.
• Restore files from clean backups if available, ensure backups are not connected to the infected network during restoration.
• Update all software, operating systems, and firmware to their latest versions to patch known vulnerabilities.
• Implement network segmentation to limit the spread of ransomware within your organization.
• Conduct regular security audits and vulnerability assessments to identify and address potential security gaps.
• Implement strict user access controls, granting permissions based on the principle of least privilege.
• Develop and regularly update an incident response plan to effectively respond to ransomware attacks.
• Monitor network traffic for unusual activity that may indicate a ransomware infection.
• Regularly back up critical data and store backups offline or in a secure, isolated environment.