Severity
High
Analysis Summary
Akira ransomware is a sophisticated cyber threat that first emerged in March 2023 and operates under a Ransomware-as-a-Service (RaaS) model. It allows affiliates to conduct ransomware attacks by encrypting and stealing data from victim organizations. The group behind Akira is believed to have ties to the defunct Conti ransomware gang, based on overlapping techniques, infrastructure, and ransom payment patterns. Akira initially targeted Windows systems with its original C++ variant, but it quickly evolved, releasing a Linux variant in April 2023 aimed at VMware ESXi systems, followed by a Rust-based version called “Megazord” and a more advanced variant known as Akira_v2.
The ransomware has been used to target various sectors including healthcare, education, manufacturing, finance, construction, and legal services. It has been particularly active in North America, Europe, and Australia. Akira’s attack methodology involves exploiting VPN vulnerabilities—particularly those lacking multi-factor authentication—and using tools like Mimikatz, LaZagne, and Advanced IP Scanner for lateral movement and credential harvesting. Once inside a network, it exfiltrates sensitive data before encrypting files using strong encryption methods like ChaCha20 and RSA. Victims are then extorted under the threat of public data leaks unless a ransom—ranging from $200,000 to several million—is paid.
As of early 2024, Akira has affected over 250 organizations and is estimated to have earned more than $42 million in ransom payments. Notable victims include Stanford University, Nissan Australia, Tietoevry, and the Toronto Zoo. Akira’s consistent evolution and aggressive targeting make it a major concern for cybersecurity professionals, emphasizing the need for strong defenses such as multi-factor authentication, timely patching, and comprehensive incident response strategies.
Impact
- Lateral Movement
- Data Exfiltration
- Credential Theft
- Financial Loss
Indicators of Compromise
MD5
39a14bfc65e6f5e13fc2817206a39cad
977452c8332167f83a417b079169ac8a
e72e0069e1fb4328e2704bda97fb4a40
SHA-256
7142bff8d40f56b9e2e8eaf2d626d54ef6533e6d2f29242ecc90c98aef1a6955
3d6c1fdfc04383ddb9a9028fa7181b017978a0d4f910fdfcb3905ed6b4f33418
337d21f964091417f22f35aee35e31d94fc3f35179c36c0304eef6e4ae983292
SHA1
3e300119505125a878f88f3b6d993670cc5e9c3d
37afc2b1ccaeea84b898c727bc242cae29430351
c28ac747eedad47c36e93960dfa19e87e38b6803
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Disconnect infected devices from the internet and local networks immediately to prevent the ransomware from spreading.
- Do not pay the ransom, paying does not guarantee file recovery and may encourage further attacks.
- Use reputable antivirus or anti-malware software to detect and remove the ransomware from your system.
- Restore files from clean backups if available, ensure backups are not connected to the infected network during restoration.
- Update all software, operating systems, and firmware to their latest versions to patch known vulnerabilities.
- Implement network segmentation to limit the spread of ransomware within your organization.
- Conduct regular security audits and vulnerability assessments to identify and address potential security gaps.
- Implement strict user access controls, granting permissions based on the principle of least privilege.
- Develop and regularly update an incident response plan to effectively respond to ransomware attacks.
- Monitor network traffic for unusual activity that may indicate a ransomware infection.
- Regularly back up critical data and store backups offline or in a secure, isolated environment.