Multiple Apple macOS Vulnerabilities
June 9, 2025Mirai Exploits Wazuh API Vulnerability in Latest Malware Campaign – Active IOCs
June 10, 2025Multiple Apple macOS Vulnerabilities
June 9, 2025Mirai Exploits Wazuh API Vulnerability in Latest Malware Campaign – Active IOCs
June 10, 2025Severity
High
Analysis Summary
Akira ransomware is a sophisticated cyber threat that first emerged in March 2023 and operates under a Ransomware-as-a-Service (RaaS) model. It allows affiliates to conduct ransomware attacks by encrypting and stealing data from victim organizations. The group behind Akira is believed to have ties to the defunct Conti ransomware gang, based on overlapping techniques, infrastructure, and ransom payment patterns. Akira initially targeted Windows systems with its original C++ variant, but it quickly evolved, releasing a Linux variant in April 2023 aimed at VMware ESXi systems, followed by a Rust-based version called “Megazord” and a more advanced variant known as Akira_v2.
The ransomware has been used to target various sectors including healthcare, education, manufacturing, finance, construction, and legal services. It has been particularly active in North America, Europe, and Australia. Akira’s attack methodology involves exploiting VPN vulnerabilities—particularly those lacking multi-factor authentication—and using tools like Mimikatz, LaZagne, and Advanced IP Scanner for lateral movement and credential harvesting. Once inside a network, it exfiltrates sensitive data before encrypting files using strong encryption methods like ChaCha20 and RSA. Victims are then extorted under the threat of public data leaks unless a ransom—ranging from $200,000 to several million—is paid.
As of early 2024, Akira has affected over 250 organizations and is estimated to have earned more than $42 million in ransom payments. Notable victims include Stanford University, Nissan Australia, Tietoevry, and the Toronto Zoo. Akira’s consistent evolution and aggressive targeting make it a major concern for cybersecurity professionals, emphasizing the need for strong defenses such as multi-factor authentication, timely patching, and comprehensive incident response strategies.
Impact
- Lateral Movement
- Data Exfiltration
- Credential Theft
- Financial Loss
Indicators of Compromise
MD5
7e4de8af0f2eb3686ab73212edba48f7
30b0a6d84807399bf4ae0da1c9c7bade
603d91d52be2d92e2d67866d06272fb0
5c023f04aa143f5976621009457abeaa
SHA-256
0b5b31af5956158bfbd14f6cbf4f1bca23c5d16a40dbf3758f3289146c565f43
0c8d5f2b94ca60616d0db69f31cf4a651ae816e44ef6f807851601c1a4e52d10
0d700ca5f6cc093de4abba9410480ee7a8870d5e8fe86c9ce103eec3872f225f
0df446a893ef448ee4ef32494f6cdf9b04a4f202583794f75a7a7a9ec25d41cb
SHA1
5bf2adc96db955268326fb5c58796ccfacd3c673
cd9e5a1cca6e9441bfea64fcb7f2811d6d39a602
9d0c956524c0d93a1b215ae37753f05bc18bb343
cb24ec7d0fc444328fac928c7aa1b4d7fe5c2146
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Disconnect infected devices from the internet and local networks immediately to prevent the ransomware from spreading.
- Do not pay the ransom, paying does not guarantee file recovery and may encourage further attacks.
- Use reputable antivirus or anti-malware software to detect and remove the ransomware from your system.
- Restore files from clean backups if available, ensure backups are not connected to the infected network during restoration.
- Update all software, operating systems, and firmware to their latest versions to patch known vulnerabilities.
- Implement network segmentation to limit the spread of ransomware within your organization.
- Conduct regular security audits and vulnerability assessments to identify and address potential security gaps.
- Implement strict user access controls, granting permissions based on the principle of least privilege.
- Develop and regularly update an incident response plan to effectively respond to ransomware attacks.
- Monitor network traffic for unusual activity that may indicate a ransomware infection.
- Regularly back up critical data and store backups offline or in a secure, isolated environment.