Akira ransomware infection routine

A ransomware gang named “Akira” was discovered on the Dark Web this year. Cybersecurity experts have uncovered new technical details about the Akira ransomware, shedding light on the workings of this latest threat to the digital world. Here’s a blog post on the infection routine.

The Akira ransomware utilizes sophisticated techniques, including data exfiltration and encryption, to extort payments from targeted organizations. Its operators are employing double-extortion tactics, threatening to leak sensitive data unless a ransom is paid for decryption.

Technical analysis of Akira ransomware reveals its functionality and methods of operation. The malware, written in Microsoft Visual C/C++ compiler, uses the GetLogicalDriveStrings() API function to obtain a list of logical drives available on the infected system. It then drops ransom notes named “akira_readme.txt” in multiple folders to notify victims of the attack and the subsequent encryption of their data.

To encrypt files and directories, Akira ransomware iterates through them using the FindFirstFileW() and FindNextFileW() API functions. However, it excludes certain file extensions, file names, and folder names from the encryption process to ensure system stability.

The encryption process itself employs the “Microsoft Enhanced RSA and AES Cryptographic Provider” libraries and utilizes functions from CryptoAPI, including CryptAcquireContextW(), CryptImportPublicKeyInfo(), CryptGenRandom(), and CryptEncrypt(). Akira ransomware employs the RSA and AES encryption algorithms, with a fixed hardcoded base64 encoded public key.

After successful encryption, the ransomware renames the encrypted files with the “.akira” extension. Furthermore, it executes a PowerShell command that leverages WMI query to delete shadow copies, thus preventing victims from restoring their systems easily.

The operators behind Akira ransomware employ intimidation tactics, threatening victims with the potential exposure and sale of exfiltrated corporate data. They claim to possess personal information, trade secrets, databases, and source codes, which they threaten to sell on the dark web if the ransom demands are not met. To communicate with victims and initiate negotiations, Akira ransomware provides a ransom note with instructions on how to contact the ransomware gang. The note warns that failure to comply with the demands may result in the public exposure of stolen information through the ransomware group’s blog, accessible via an Onion site.

The Akira ransomware leak site showcases a list of targeted organizations, both those that paid the ransom and those that did not. The leaked data associated with non-compliant organizations is available for download and includes the organization’s name and a brief description.
As organizations implement robust security measures to defend against ransomware attacks, new strains like Akira continue to emerge, adapting their strategies and expanding their operations. It is crucial for businesses to remain vigilant, employ strong cybersecurity practices, and maintain effective backup and recovery mechanisms to mitigate the risks posed by these evolving ransomware threats.

IOC: https://www.salvagedata.com/akira-ransomware/

Stay in the know on Ransomware.live

The most common element of an incident response playbook is a good backup:

87% of organizations have a risk management program that drives their security roadmap or strategy. That said, only 35% believe their program is working well, while 52% are seeking to improve their situation and the remaining 13% do not yet even have an established program.

Regardless of what you call your program or team that is chartered with planning against cyber events and preparing for how the organization will deal with them, the most common elements of the ‘playbook’ in preparation against a cyber attack are:

Clean backup copies, which one might presume includes data that is ‘survivable’ against attacks and does not include malicious code,
Recurring verification that the backups are recoverable.

45% of production data was affected by a cyber attack:

This is unfortunately consistent with last year’s 47% affected statistic, with no reason to assume future attacks won’t result in a similar catastrophic amount of data loss or impact.

On average, organizations stated that 45% of their production data was affected by the cyber attack. In looking at the extremes, 25% had a small portion (<20%) of their data affected, while 14% had nearly all (>80%) of their data affected by the attack.

Unfortunately, only 66% of the affected data was recoverable. This calculates that 15% of the organizations’ production data was unrecoverably lost.

As an aside, cyber victims were also asked of their confidence before and after the attack.

In hindsight, only 59% considered themselves ‘prepared’ — and even then, the results did not vary greatly on how impactful the attack was.

Cartels were able to affect the backup repositories in 75% of attacks:

Said another way, one in four organizations had backups to restore from, which is down from last year when one in three organizations had survivable backups.

In fact, bad actors targeted the backup repositories in at least 93% of attacks in 2022, nearly identical to the 94% of repositories that were targeted in 2021. The respondents who stated that “some,” “most” or “all” of their repositories were affected, reveal that on average, 39% of backup repositories were affected.

Secure Backup is your last line of defense:

Defense-in-depth – target to hit:

First, respect this rule: 3-2-1-1-0 (with Trusted Immutability, one Offline Backup, and Backup Verification).

Second, protecting your Backup Server and integrating Trusted Repository Storage, Offline Backup (Tape, example: Quantum Active Vault) or Dell EMC Cyber Recovery (air-gapped backup through a sanctuary), or Immutable (Immutable Backup feature, Retention Time Lock with ExaGrid, Retention Lock with Dell EMC DataDomain, Snapshot feature in Quantum’s DXi appliance, HPE StoreOnce with Data Immutability, Object Lock with Object Storage solution such as Dell EMC ECS or DataCore SWARM, or Wasabi, etc.), Hardening (server, storage, OS..). Enabling snapshot protection such as Pure Storage Safe Mode or Dell EMC Secure Snap. Maintaining developed protocols of access rights hierarchy, Zero Trust, network security (segmentation, VLAN dedicated for Backup components), Backup environment not integrated into the domain (100% of attacks exploits a weakness of the Active Directory), and password hygiene, take care of your Local Accounts & segment your passwords into different Passwords Management tools (especially local accounts and CISO/Security Officer accounts). Enabling double-authentication on the management interface (storage hardware, appliances, etc.). Never leave your Password Management tool open on your workstation, and never store it on the Filer Servers. Protect your NTP. Anonymizing the name of backup servers and repositories – and the name of service accounts, creating a HoneyPot backup environment, creating fake backup services accounts without permissions (svc_backup and with all backup vendors) then monitoring them with AD alerting in real-time solution (such as Netwrix, Varonis, Tenable.AD), as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Pay successfully removing backups. Secure backup solutions and mitigations listed will enable any possible victims to leave Pay without their demanded ransom money. Keep in mind backup is a building block of the cybersecurity ecosystem.

It is still worth trying to check more backup files, but it’s only about the time needed for getting the headers and checking them with a chance something can be restored from there, and time that can be used to rebuild that infrastructure.

You can get headers of multiple files, Backup solution vendor can check all of them.

How to recover? First 48 hours crucial:

-CERT or INSURER: Get experts on the phone fast to assess what should be considered,

-Forensics Expert: Assessing the damage caused by a third party and if the attacker is still in the infrastructure,

-Law Enforcement: Make sure the correct law enforcement bodies have been notified,

Monaco Digital

Monaco Cyber Securité

Veeam User Group Day in Monaco: Blog Post
2023 Ransomware Trends Report
Critical FortiOS & FortiProxy – Heap buffer overflow Vulnerability: Blog Post
Critical FortiOS and FortiProxy Vulnerability – FG-IR-23-001: Blog PostImportant Vulnerability in VMware ESXi: Blog Post
The core function of a SOC: Blog Post
Play ransomware infection routine: Blog Post
Identify a piece of malware with Yara: Blog Post
New Veeam v12 Platform Overview: Blog Post
OpenSSL patch (v3.0.7) for Vulnerability 2022: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post