blog.qualys.com
Open in
urlscan Pro
35.230.125.173
Public Scan
URL:
https://blog.qualys.com/vulnerabilities-threat-research/2024/10/02/threat-brief-understanding-akira-ransomware
Submission: On October 09 via api from IN — Scanned from IT
Submission: On October 09 via api from IN — Scanned from IT
Form analysis 2 forms found in the DOM
POST https://blog.qualys.com/wp-comments-post.php?wpe-comment-post=qualysblog
<form action="https://blog.qualys.com/wp-comments-post.php?wpe-comment-post=qualysblog" method="post" id="commentform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<p class="comment-form-comment"><label for="comment">Comment</label><textarea id="comment" name="comment" cols="45" rows="6" minlength="10" placeholder="Share your thoughts" aria-required="true" required=""></textarea></p>
<div class="field-wrapper">
<p class="comment-form-author"><label for="author">Name</label><input id="author" name="author" type="text" placeholder="Name" value="" size="20" minlength="4" required=""></p>
<p class="comment-form-email"><label for="email">Email</label><input id="email" name="email" type="email" placeholder="Email" value="" size="30" required=""></p>
</div>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<div class="g-recaptcha" data-sitekey="6Lc58QoqAAAAALGk25W8X6NC5w_JwiPPf_JA78rv">
<div style="width: 304px; height: 78px;">
<div><iframe title="reCAPTCHA" width="304" height="78" role="presentation" name="a-fw63xoaiprxj" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lc58QoqAAAAALGk25W8X6NC5w_JwiPPf_JA78rv&co=aHR0cHM6Ly9ibG9nLnF1YWx5cy5jb206NDQz&hl=it&v=xds0rzGrktR88uEZ2JUvdgOY&size=normal&cb=w3ha9prj8rwl"></iframe></div>
<textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="POST"> <input type="hidden" name="comment_post_ID" value="36412" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="8f6a65f020"></p><input type="hidden" id="ct_checkjs_32b30a250abd6331e03a2a1f16466346" name="ct_checkjs" value="854003054">
<script>
setTimeout(function() {
var ct_input_name = "ct_checkjs_32b30a250abd6331e03a2a1f16466346";
if (document.getElementById(ct_input_name) !== null) {
var ct_input_value = document.getElementById(ct_input_name).value;
document.getElementById(ct_input_name).value = document.getElementById(ct_input_name).value.replace(ct_input_value, '854003054');
}
}, 1000);
</script>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
value="1728487142210">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p><input type="hidden" id="ct_bot_detector_event_token_2210" name="ct_bot_detector_event_token" value="82822a7d9516bb13266aa3f2aab2be1759ebaa25c5b3add44b2fdb717e416bb0"><input type="hidden" id="apbct_visible_fields_0" name="apbct_visible_fields"
value="eyIwIjp7InZpc2libGVfZmllbGRzIjoiY29tbWVudCBhdXRob3IgZW1haWwgYWtfaHBfdGV4dGFyZWEiLCJ2aXNpYmxlX2ZpZWxkc19jb3VudCI6NCwiaW52aXNpYmxlX2ZpZWxkcyI6ImNvbW1lbnRfcG9zdF9JRCBjb21tZW50X3BhcmVudCBha2lzbWV0X2NvbW1lbnRfbm9uY2UgYWtfanMgY3RfYm90X2RldGVjdG9yX2V2ZW50X3Rva2VuIGN0X25vX2Nvb2tpZV9oaWRkZW5fZmllbGQiLCJpbnZpc2libGVfZmllbGRzX2NvdW50Ijo2fX0="><input
name="ct_no_cookie_hidden_field"
value="_ct_no_cookie_data_eyJhcGJjdF9pZnJhbWVzX3Byb3RlY3RlZCI6W10sImN0X3NjcmVlbl9pbmZvIjoiJTdCJTIyZnVsbFdpZHRoJTIyJTNBMTYwMCUyQyUyMmZ1bGxIZWlnaHQlMjIlM0ExMzQxMyUyQyUyMnZpc2libGVXaWR0aCUyMiUzQTE2MDAlMkMlMjJ2aXNpYmxlSGVpZ2h0JTIyJTNBMTIwMCU3RCIsImN0X3BvaW50ZXJfZGF0YSI6IiU1QiU1RCIsImFwYmN0X3BpeGVsX3VybCI6Imh0dHBzJTNBJTJGJTJGbW9kZXJhdGU2LXY0LmNsZWFudGFsay5vcmclMkZwaXhlbCUyRmYyNzBhMmIyNGEyNTE2NTAwMTVhZDJlZTRjNTE0NDkyLmdpZiIsImFwYmN0X3BhZ2VfaGl0cyI6MSwiY3RfY2hlY2tqcyI6Ijg1NDAwMzA1NCIsImN0X3RpbWV6b25lIjoiMiIsImN0X2Nvb2tpZXNfdHlwZSI6Im5vbmUiLCJhcGJjdF92aXNpYmxlX2ZpZWxkcyI6IjAiLCJjdF9wc190aW1lc3RhbXAiOiIxNzI4NDg3MTQzIiwiYXBiY3RfaGVhZGxlc3MiOiJmYWxzZSIsImN0X2ZrcF90aW1lc3RhbXAiOiIwIiwiY3RfY2hlY2tlZF9lbWFpbHMiOiIwIiwiYXBiY3Rfc2Vzc2lvbl9pZCI6Inh6ZG4iLCJhcGJjdF9zZXNzaW9uX2N1cnJlbnRfcGFnZSI6Imh0dHBzOi8vYmxvZy5xdWFseXMuY29tL3Z1bG5lcmFiaWxpdGllcy10aHJlYXQtcmVzZWFyY2gvMjAyNC8xMC8wMi90aHJlYXQtYnJpZWYtdW5kZXJzdGFuZGluZy1ha2lyYS1yYW5zb213YXJlIiwidHlwbyI6W3siaXNBdXRvRmlsbCI6ZmFsc2UsImlzVXNlQnVmZmVyIjpmYWxzZSwic3BlZWREZWx0YSI6MCwiZmlyc3RLZXlUaW1lc3RhbXAiOjAsImxhc3RLZXlUaW1lc3RhbXAiOjAsImxhc3REZWx0YSI6MCwiY291bnRPZktleSI6MH0seyJpc0F1dG9GaWxsIjpmYWxzZSwiaXNVc2VCdWZmZXIiOmZhbHNlLCJzcGVlZERlbHRhIjowLCJmaXJzdEtleVRpbWVzdGFtcCI6MCwibGFzdEtleVRpbWVzdGFtcCI6MCwibGFzdERlbHRhIjowLCJjb3VudE9mS2V5IjowfV19"
type="hidden" class="apbct_special_field ct_no_cookie_hidden_field">
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
<input type="hidden" id="ct_bot_detector_event_token_7861" name="ct_bot_detector_event_token" value="82822a7d9516bb13266aa3f2aab2be1759ebaa25c5b3add44b2fdb717e416bb0"><input name="ct_no_cookie_hidden_field"
value="_ct_no_cookie_data_eyJhcGJjdF9pZnJhbWVzX3Byb3RlY3RlZCI6W10sImN0X3NjcmVlbl9pbmZvIjoiJTdCJTIyZnVsbFdpZHRoJTIyJTNBMTYwMCUyQyUyMmZ1bGxIZWlnaHQlMjIlM0ExMzQxMyUyQyUyMnZpc2libGVXaWR0aCUyMiUzQTE2MDAlMkMlMjJ2aXNpYmxlSGVpZ2h0JTIyJTNBMTIwMCU3RCIsImN0X3BvaW50ZXJfZGF0YSI6IiU1QiU1RCIsImFwYmN0X3BpeGVsX3VybCI6Imh0dHBzJTNBJTJGJTJGbW9kZXJhdGU2LXY0LmNsZWFudGFsay5vcmclMkZwaXhlbCUyRmYyNzBhMmIyNGEyNTE2NTAwMTVhZDJlZTRjNTE0NDkyLmdpZiIsImFwYmN0X3BhZ2VfaGl0cyI6MSwiY3RfY2hlY2tqcyI6Ijg1NDAwMzA1NCIsImN0X3RpbWV6b25lIjoiMiIsImN0X2Nvb2tpZXNfdHlwZSI6Im5vbmUiLCJhcGJjdF92aXNpYmxlX2ZpZWxkcyI6IjAiLCJjdF9wc190aW1lc3RhbXAiOiIxNzI4NDg3MTQzIiwiYXBiY3RfaGVhZGxlc3MiOiJmYWxzZSIsImN0X2ZrcF90aW1lc3RhbXAiOiIwIiwiY3RfY2hlY2tlZF9lbWFpbHMiOiIwIiwiYXBiY3Rfc2Vzc2lvbl9pZCI6Inh6ZG4iLCJhcGJjdF9zZXNzaW9uX2N1cnJlbnRfcGFnZSI6Imh0dHBzOi8vYmxvZy5xdWFseXMuY29tL3Z1bG5lcmFiaWxpdGllcy10aHJlYXQtcmVzZWFyY2gvMjAyNC8xMC8wMi90aHJlYXQtYnJpZWYtdW5kZXJzdGFuZGluZy1ha2lyYS1yYW5zb213YXJlIiwidHlwbyI6W3siaXNBdXRvRmlsbCI6ZmFsc2UsImlzVXNlQnVmZmVyIjpmYWxzZSwic3BlZWREZWx0YSI6MCwiZmlyc3RLZXlUaW1lc3RhbXAiOjAsImxhc3RLZXlUaW1lc3RhbXAiOjAsImxhc3REZWx0YSI6MCwiY291bnRPZktleSI6MH0seyJpc0F1dG9GaWxsIjpmYWxzZSwiaXNVc2VCdWZmZXIiOmZhbHNlLCJzcGVlZERlbHRhIjowLCJmaXJzdEtleVRpbWVzdGFtcCI6MCwibGFzdEtleVRpbWVzdGFtcCI6MCwibGFzdERlbHRhIjowLCJjb3VudE9mS2V5IjowfV19"
type="hidden" class="apbct_special_field ct_no_cookie_hidden_field">
</form>Text Content
* Discussions * Back to main menu * BROWSE BY TOPICBROWSE BY TOPIC * Global IT Asset Management * IT Security * Compliance * Cloud & Container Security * Web App Security * Certificate Security & SSL Labs * Developer API * Cloud Platform * Start a discussion * Blog * Training * Docs * Support * Trust * Community SearchLoading Blog Home THREAT BRIEF: UNDERSTANDING AKIRA RANSOMWARE Akshat Pradhan, Senior Engineer, Threat Research, Qualys October 2, 2024October 2, 2024 - 5 min read 8 TABLE OF CONTENTS * Overview * Technique Tactics & Procedures * Sample Analysis * Detections & Threat Hunting * Conclusion * MITRE ATT&CK Techniques * Indicators of Compromise OVERVIEW Akira is a prolific ransomware that has been operating since March 2023 and has targeted multiple industries, primarily in North America, the UK, and Australia. It functions as a Ransomware as a Service (RaaS) and exfiltrates data prior to encryption, achieving double extortion. According to the group’s leak site, they have infected over 196 organizations. Fig.1 Akira TOR leak site. When looking at the history of Akira, one must go back to the Conti group. They suffered a massive leak that divulged their source code, chat logs, playbooks, and storage servers in March of 2022. The group then ceased operations in May 2022. This resulted in many of its members and affiliates resurfacing later under distinct brands such as Black Basta, BlackByte, and Krakurt. Akira is another such ransomware that not only has code overlap with Conti but also has had operators that mingled funds with Conti affiliated wallet addresses. This shows that there is a clear overlap between Conti and Akira. TECHNIQUE TACTICS & PROCEDURES The TTPs used by actors associated with RaaS are similar, and Akira is no different. Fig.2 Campaign flow of a typical Akira attack. A typical campaign starts when Akira affiliates use compromised credentials or vulnerabilities to gain initial access to a victim’s environment. Initial AccessCompromised credentials, likely purchased from initial access brokers for entry points that did not use MFA.Exploiting vulnerabilities such as CVE-2021-21972, CVE-2019-6693, CVE-2022-40684 and CVE-2023-20269 They then generally perform reconnaissance by gathering details from the Active Directory and scan the network to identify machines for Lateral Movement. DiscoveryGet-ADUser, Get-ADComputerAdFindSoftPerfect Network Scanner (netscan.exe)PCHunterAdvanced IP ScannerSharpHoundMASScanreconftw The actors have also been observed using several different tools and persistence techniques to expand and maintain their access. Command & ControlRSAT-ADSystemBCNetCatAnydeskRadminCloudfare TunnelMobaxtermNgrokRustDeskSSH PersistenceScheduled tasksNewly created accountsCompromised valid accounts Credentials are dumped via the following tools and methods. Credential AccessComsvcs.dll dumping lsassMimikatzLazagneNTDS dump Lateral Movement is achieved via RDP with valid accounts or via remote shares. Lateral MovementRDPNetwork sharesPsexec Akira affiliates have used several interesting methods to bypass defenses. Defense EvasionDisabling windows defender and adding exclusions.Userlist registry modification to hide accounts on login screen.DisableRestrictedAdmin registry modification to allow login without credentials.Terminator used to perform BYOVD attacks to disable security products.Creation of new VM to hide adversary behavior. They then collect files, archive them, and exfiltrate them. This data is leaked on Akira’s TOR site if the victims do not make payments. ExfiltrationWinScpFileZillaRclone System backups are also destroyed prior to data encryption. ImpactVeeam backups deletedShadow copies deletedData encrypted SAMPLE ANALYSIS MD5: e57340a208ac9d95a1f015a5d6d98b94 Qualys’s TRU recently acquired a new Akira sample that has been active in the wild. We will focus on some interesting aspects of this sample. The ransomware creates a log file of its execution of the format Log-date-month-year-hour-minute-second.txt. Fig.3 Log file excerpt Akira takes several command line arguments that define its behavior. ArgumentDescription–encryption_path, -pTargeted path for encryption.–share_file, -sTargeted network drive for encryption.-n, –encryption_percentDefines how much of the victim’s files will be encrypted.-localonlyOnly target local files.-e, –excludeFiles to exclude from encryption.-lDisplay log file. Fig.4 Akira command line argument parsing. Akira deletes shadow copies by using the command powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject” Akira uses the Windows restart manager APIs to kill processes to free up targeted files for encryption. Fig.5 Enumerated Process terminated via restart manager APIs Like Conti, Akira also uses the ChaCha algorithm for file encryption. Another interesting fact is that the encryption notes contain a code that victims use to log in to Akira’s chat messenger. Fig.6 Ransom note. DETECTIONS & THREAT HUNTING Qualys’s EDR & EPP offering provides comprehensive coverage against advanced threats. Akira is detected and quarantined as soon as it is downloaded on the victim’s machine. Fig.7 Akira quarantined. Qualys also provides advanced ransomware protection that prevents encryption of personal or sensitive files by automatically creating backup files that are restored after the malware is blocked. Fig.8 Ransomware Protection Qualys’s EDR also has several behavioral detections to identify such threats. Existing customers can use the following Threat Hunting QQLs to search their environment for Akira TTPs. DescriptionQueryPowerShell deleting shadow copies.mitre.attack.technique.id:”T1490″ and process.name:”PowerShell.exe” and process.arguments:”Win32_Shadowcopy”All T1490 tagged events in the last 7 days.mitre.attack.technique.id:”T1490″ and event.dateTime:[now-7d .. now-1s]All T1486 tagged events in the last 7 days.mitre.attack.technique.id:”T1486″ and event.dateTime:[now-7d .. now-1s]Remote access tool activity in the last 3 daysmitre.attack.technique.name:”Remote Access Software” and event.dateTime:[now-3d … now-1s]New user creation via netprocess.name:”net.exe” and process.arguments:”user” and process.arguments:[“/dom”,”/add”] CONCLUSION RaaS has emerged as a significant threat in the landscape because it enables even low-skilled actors to deploy highly sophisticated ransomware attacks. Akira continues to steadily result in more victims as it continues to spread. Organizations should secure their perimeter by using defenses like multi-factor authentication (MFA) and rely on an EDR product to protect against such threats on the endpoint. MITRE ATT&CK TECHNIQUES TechniqueIDExploit Public-Facing ApplicationT1190External Remote ServicesT1133Valid AccountsT1078File and Directory DiscoveryT1083Remote System DiscoveryT1018System Information DiscoveryT1082Hide Artifacts: Hidden UsersT1564.002Hide Artifacts: Run Virtual InstanceT1564.006Remote Services: Remote Desktop ProtocolT1021.001OS Credential DumpingT1003Archive Collected DataT1560Remote Access SoftwareT1219Automated ExfiltrationT1020Data Encrypted for ImpactT1486Defacement: Internal DefacementT1491.001 INDICATORS OF COMPROMISE NameIndicatorAkirae57340a208ac9d95a1f015a5d6d98b94Akirae8139b0bc60a930586cf3af6fa5ea573Akiraa1f4931992bf05e9bff4b173c15cab15Akira08bd63480cd313d2e219448ac28f72cdAkira4aecef9ddc8d07b82a6902b27f051f34Akiraab9e577334aeb060ac402598098e13b9 Subscribe to the Qualys blog to get notified of the latest threat intelligence, vulnerabilities, and cybersecurity updates. RELATED Staying Ahead of Ransomware ThreatsMarch 14, 2023In "Product and Tech" Ransomware Reality Check: Deciphering Priorities in a Sea of Cyber ExtortionFebruary 15, 2024In "Vulnerabilities and Threat Research" Security News: Bluetooth Bug Triggers Patch Frenzy, as Ransomware Attack Hits Global ShipperJuly 30, 2018In "Vulnerabilities and Threat Research" Written by Akshat Pradhan, Senior Engineer, Threat Research, Qualys Write to Akshat at apradhan@qualys.com Like 8 Share * * * * RELATED CONTENT Akira, Akira ransomware, ransomware Share your Comments COMMENTS CANCEL REPLY Your email address will not be published. Required fields are marked * Comment Name Email Save my name, email, and website in this browser for the next time I comment. Δ JOIN THE DISCUSSION TODAY! Learn more about Qualys and industry best practices. Share what you know and build a reputation. Secure your systems and improve security for everyone. Start a discussion * Twitter * LinkedIn * Facebook * YouTube * Vimeo QUALYS * Qualys.com * Qualys Community Edition * Qualys Merchandise Store QUALYS COMMUNITIES * Vulnerability Management * Policy Compliance * PCI Compliance * Web App Scanning * Web App Firewall * Continuous Monitoring * Security Assessment Questionnaire * Threat Protection * Asset Inventory * AssetView * CMDB Sync * Endpoint Detection & Response * Security Configuration Assessment * File Integrity Monitoring * Cloud Inventory * Certificate Inventory * Container Security * Cloud Security Assessment * Certificate Assessment * Out-of-band Configuration Assessment * Patch Management * Developer API * Cloud Agent * Dashboards & Reporting DISCUSSIONS * All discussions * Global IT Asset Management * IT Security * Compliance * Cloud & Container Security * Web App Security * Certificate Security & SSL Labs * Developer API BLOG * All posts * Qualys Insights * Product and Tech * Vulnerabilities and Threat Research * Release Notifications TRAINING * Overview * Certified Courses * Video Library * Instructor-led Training DOCS * Overview * Release Notes SUPPORT * Support Portal © 2024 Qualys, Inc. All rights reserved. Privacy Policy . Accessibility Loading Comments... Write a Comment... Email (Required) Name (Required) Website Notice. We use cookies to optimize our website. By continuing to use our site, you accept our privacy policy. Yes, I accept Cookies No thanks