Severity
High
Analysis Summary
Akira ransomware is a sophisticated cyber threat that first emerged in March 2023 and operates under a Ransomware-as-a-Service (RaaS) model. It allows affiliates to conduct ransomware attacks by encrypting and stealing data from victim organizations. The group behind Akira is believed to have ties to the defunct Conti ransomware gang, based on overlapping techniques, infrastructure, and ransom payment patterns. Akira initially targeted Windows systems with its original C++ variant, but it quickly evolved, releasing a Linux variant in April 2023 aimed at VMware ESXi systems, followed by a Rust-based version called “Megazord” and a more advanced variant known as Akira_v2.
The ransomware has been used to target various sectors including healthcare, education, manufacturing, finance, construction, and legal services. It has been particularly active in North America, Europe, and Australia. Akira’s attack methodology involves exploiting VPN vulnerabilities—particularly those lacking multi-factor authentication—and using tools like Mimikatz, LaZagne, and Advanced IP Scanner for lateral movement and credential harvesting. Once inside a network, it exfiltrates sensitive data before encrypting files using strong encryption methods like ChaCha20 and RSA. Victims are then extorted under the threat of public data leaks unless a ransom—ranging from $200,000 to several million—is paid.
As of early 2024, Akira has affected over 250 organizations and is estimated to have earned more than $42 million in ransom payments. Notable victims include Stanford University, Nissan Australia, Tietoevry, and the Toronto Zoo. Akira’s consistent evolution and aggressive targeting make it a major concern for cybersecurity professionals, emphasizing the need for strong defenses such as multi-factor authentication, timely patching, and comprehensive incident response strategies.
Impact
- Lateral Movement
- Data Exfiltration
- Credential Theft
- Financial Loss
Indicators of Compromise
MD5
1d895cf4391b817e54fb9ec9d8e65f7e
03b9887dee2c3c825b6a6c0df1d104ad
4d79fb750955ec8702cb79cfdb36e66b
SHA-256
68fe419e4826b697016a1318f6689492cc0274531c4b82fed32dbc542b15a867
34c843387845479329052ec7a71f6445c7530b6fee2eabb458da2338d1af41e4
5c6cce76a28898a242265b4eb3a3b14558dfb9a67319cfe0ac0bd175addb5b9a
SHA1
4fb90cbf26a97967ee01a0bbe8462d2f51c09c68
8871083f127acfac08f192161fbec87339c5fccf
37b394f838165357d09356bd17d5088bdbb7289c
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Disconnect infected devices from the internet and local networks immediately to prevent the ransomware from spreading.
- Do not pay the ransom, paying does not guarantee file recovery and may encourage further attacks.
- Use reputable antivirus or anti-malware software to detect and remove the ransomware from your system.
- Restore files from clean backups if available, ensure backups are not connected to the infected network during restoration.
- Update all software, operating systems, and firmware to their latest versions to patch known vulnerabilities.
- Implement network segmentation to limit the spread of ransomware within your organization.
- Conduct regular security audits and vulnerability assessments to identify and address potential security gaps.
- Implement strict user access controls, granting permissions based on the principle of least privilege.
- Develop and regularly update an incident response plan to effectively respond to ransomware attacks.
- Monitor network traffic for unusual activity that may indicate a ransomware infection.
- Regularly back up critical data and store backups offline or in a secure, isolated environment.