Executive Summary

Since April 2023, Arete’s Incident Response (IR) team has responded to more than one hundred incidents attributed to the Akira ransomware group. Akira is a prolific threat and quickly established itself as one of the most active ransomware groups alongside ALPHV/BlackCat and LockBit in 2023. In 2024, Akira benefited from law enforcement actions that disrupted LockBit and ALPHV/BlackCat’s operations and has continued to be one of the most active threat actor groups.

This spotlight explores the ransomware group’s observed behavior, background information on the threat actor, and statistics from Incident Response engagements, along with a technical analysis of Akira’s ransomware executable. Finally, we discuss security recommendations to better defend against this evolving cyber threat and mitigate the risk of financial and reputational losses.

Incident Response Data on the Akira Ransomware Group

The information below is based on engagements involving Akira ransomware 
investigated by Arete since April 2023. Our IR, Threat Intelligence, and 
Data Analytics teams work together to analyze key data points during every 
ransomware engagement and form real-time threat actor (TA) insights.
 
- Targeted sectors include healthcare, hospitality, manufacturing, public and 
  financial services, and professional services.

- The median initial demand is $500,000.

- The median ransom payment facilitated is $150,000.

- Tools observed during investigations include SystemBC, Cobalt Strike, Rclone,
  Filezilla, WinSCP, AnyDesk, PuTTY, SoftPerfect Network Scanner (netscan), 
  Advanced IP Scanner, and Angry IP Scanner.

- Over the last six months, 43% of engagements involved data exfiltration.

- Depending on the variant, Akira encrypts and appends an “.akira”, “.powerranges”, 
  or “.akiranew” extension to encrypted files.

- The ransom note file name is commonly “akira_readme.txt” or “powerranges.txt” and 
  includes a password-protected Tor site for negotiations and communication with 
  victims.

- The group operates a data leak site (DLS) self-proclaimed as “AKIRA” and commonly 
  threatens victims with releasing stolen data as a pressure tactic if a payment is 
  not made.

- Akira will delete Windows Shadow Volume Copies using Powershell and utilize 
  Windows’ Restart Manager to exit processes and services that could potentially 
  prevent encryption

The information below is based on engagements involving Akira ransomware 
investigated by Arete since April 2023. Our IR, Threat Intelligence, and 
Data Analytics teams work together to analyze key data points during every 
ransomware engagement and form real-time threat actor (TA) insights.
 
- Targeted sectors include healthcare, hospitality, manufacturing, public and 
  financial services, and professional services.

- The median initial demand is $500,000.

- The median ransom payment facilitated is $150,000.

- Tools observed during investigations include SystemBC, Cobalt Strike, Rclone,
  Filezilla, WinSCP, AnyDesk, PuTTY, SoftPerfect Network Scanner (netscan), 
  Advanced IP Scanner, and Angry IP Scanner.

- Over the last six months, 43% of engagements involved data exfiltration.

- Depending on the variant, Akira encrypts and appends an “.akira”, “.powerranges”, 
  or “.akiranew” extension to encrypted files.

- The ransom note file name is commonly “akira_readme.txt” or “powerranges.txt” and 
  includes a password-protected Tor site for negotiations and communication with 
  victims.

- The group operates a data leak site (DLS) self-proclaimed as “AKIRA” and commonly 
  threatens victims with releasing stolen data as a pressure tactic if a payment is 
  not made.

- Akira will delete Windows Shadow Volume Copies using Powershell and utilize 
  Windows’ Restart Manager to exit processes and services that could potentially 
  prevent encryption

The information below is based on engagements involving Akira ransomware 
investigated by Arete since April 2023. Our IR, Threat Intelligence, and 
Data Analytics teams work together to analyze key data points during every 
ransomware engagement and form real-time threat actor (TA) insights.
 
- Targeted sectors include healthcare, hospitality, manufacturing, public and 
  financial services, and professional services.

- The median initial demand is $500,000.

- The median ransom payment facilitated is $150,000.

- Tools observed during investigations include SystemBC, Cobalt Strike, Rclone,
  Filezilla, WinSCP, AnyDesk, PuTTY, SoftPerfect Network Scanner (netscan), 
  Advanced IP Scanner, and Angry IP Scanner.

- Over the last six months, 43% of engagements involved data exfiltration.

- Depending on the variant, Akira encrypts and appends an “.akira”, “.powerranges”, 
  or “.akiranew” extension to encrypted files.

- The ransom note file name is commonly “akira_readme.txt” or “powerranges.txt” and 
  includes a password-protected Tor site for negotiations and communication with 
  victims.

- The group operates a data leak site (DLS) self-proclaimed as “AKIRA” and commonly 
  threatens victims with releasing stolen data as a pressure tactic if a payment is 
  not made.

- Akira will delete Windows Shadow Volume Copies using Powershell and utilize 
  Windows’ Restart Manager to exit processes and services that could potentially 
  prevent encryption

Background

Akira has evolved into a notable ransomware operation and was among the top variants observed by Arete in the first half of 2024.

Source: Arete's H1 2024 Crimeware Report

Akira targets a broad range of organizations throughout North America, including Canada, and swiftly lists victims on its data leak site. Targeted sectors include healthcare, hospitality, manufacturing, public and financial services, and professional services. The group maintains Windows and Linux versions of its ransomware and uses virtual private network (VPN) appliances as an initial access vector in 50% of attacks.

Megazord, a variant of Akira, demonstrates the evolution of the group’s ransomware. Introduced around August 2023, this variant is unique due to its Rust-based code, which is a departure from the C++ code of the original Akira ransomware. The Megazord variant also includes different command line arguments and encrypts files with a “.powerranges” extension, which are differentiating attributes.

Technical Analysis

 Malware analysis of one of the Windows-based variants revealed that Akira ransomware:

• Supports multiple command-line arguments.

• Encrypts files on the system and mounted shares.

• Adds the following extension to encrypted files (variant dependent): .akira (e.g., file.docx.akira).

• Creates a ransom note with the following filename (variant dependent): akira_readme.txt.

• References a data leak site in the ransom note that, when accessed, self-identifies the group as AKIRA.

• Kills a list of processes and services.

• Maintains a list of whitelisted files and directories to ensure it will not render the system unusable, preventing recovery when running a decryptor.

• Attempts to prevent system recovery by deleting the system’s volume shadow copies.

• Creates a log file with a name based on the date and time: Log-%d-%m-%Y-%H-%M-%S (e.g., Log-19-09-2024-09-21-20.txt).

Execution Pattern/Arguments

Akira ransomware does not need a command line argument to execute and encrypt files in the system. However, Akira supports the following command line arguments:

Megazord variant:

Examples of how the supported arguments are used:

Figure 1. Code in the ransomware written to read command line arguments

Stop Services and Processes

Before file encryption, the ransomware terminates a pre-determined list of processes and services to encrypt as many files as possible. Akira ransomware contains a list of processes it will exclude during process termination, listed below:

Process names:

File and Directory Exclusions

The ransomware excludes system-related files and folders, ransomware-related files, and whitelisted extensions during encryption.

Excluded file extensions:

Excluded directories:

Inhibit System Recovery

Windows operating systems contain features that can help fix corrupted system files, including shadow copies, which are backups of files created by the Volume Shadow Copy Service (VSS). By deleting shadow copies, the ransomware can prevent victims from restoring files from backups, making it more difficult for them to recover their data without paying the ransom.

The ransomware deletes volume shadow copies before file encryption by starting the following Powershell process and executing the command:

Network Share Discovery

Akira ransomware can enumerate network-mounted shares by scanning the network interfaces. If any are found, it will attempt to encrypt them, as shown below.

Figure 2. Share drive encrypted

Data Encrypted for Impact

The ransomware initially finds available drives and then loads the files one by one using the Windows API FindFirstFileW and FindNextFileW. The ransomware generates random AES keys to encrypt the files, and after encrypting them, the keys are encrypted using a public RSA key. The resulting key is again encrypted and placed at the end of the file.

Figure 3. Data encryption code

Figure 4. Extension added to the encrypted files

Figure 5. Encrypted files

During execution, the ransomware creates a log file in the working directory where the file is executed from. The log file is named based on the date and time of execution using the following string format: Log-%d-%m-%Y-%H-%M-%S. For example, during execution, the following log file with the name was created: Log-19-09-2024-09-21-20.txt.

Figure 6. Log file created by Akira

Figure 7. Portion of the log file

Figure 8. Log file name string format in the code

Upon successful execution, the ransomware creates ransom notes with the file name akira_readme.txt. The Megazord variant creates ransom notes with the same content, but the file name is powerranges.txt.

Figure 9. Akira ransom note

Ransom note content:

Modify Registry

The Windows registry is a database that stores configuration settings and values for the Windows operating system. It manages user preferences, installed software, system configurations, and more. Malware abuses the Windows registry to maintain persistence, hide its presence, disable security settings, and launch malicious scripts. Akira did not perform any registry key modification.

Mutex

The mutex is the fundamental tool for managing shared resources between multiple threads or processes. Typically, ransomware uses a mutex to avoid reinfecting the victim system and causing multiple layers of encryption. The ransomware did not create a mutex during execution.

Network Activity

The ransomware did not try to communicate with a remote server other than encrypting data from mounted shares.

Indicators of Compromise

Data Leak Site

The ransom note contains a data leak site (DLS) that, when accessed, displayed the following page, self-identifying the group as Akira:

Figure 10. Tor DLS

Tor Chat Site

The ransom note contains a Tor chat site and a unique code used to log into the chat. The Tor chat site displayed the following page:

Figure 11. Tor chat site

Detection Mechanisms

Custom Detections and Blocking with Arete Bloktd℠

SentinelOne S1QL 1.0 query syntax (STAR rule):
Volume Shadow Copy Deletion

Akira Ransomware

EndpointOS = "windows" AND ((ObjectType = "process" AND CmdLine In Contains Anycase (
".\ProgramData\w.exe", ":\w.exe", ":\ProgramData\win.exe", ":\programdata\lck.exe", 
":\ProgramData\dllhost32.exe", ":\ProgramData\hpupdate.exe")) 
OR (ObjectType = "file" AND (EventType In ("File Creation", "File Scan") AND 
(TgtFilePath In Contains Anycase (":\ProgramData\w.exe", ":\w.exe", ":\ProgramData\win.exe", 
":\programdata\lck.exe", ":\ProgramData\dllhost32.exe", ":\ProgramData\hpupdate.exe", 
":\akira_readme.txt", ":\powerranges.txt", "akiranew.txt") OR TgtFilePath RegExp 
"\\Log-[0-9]{2}-[0-9]{2}-20[0-9]{2}-[0-9]{2}-[0-9]{2}\.

EndpointOS = "windows" AND ((ObjectType = "process" AND CmdLine In Contains Anycase (
".\ProgramData\w.exe", ":\w.exe", ":\ProgramData\win.exe", ":\programdata\lck.exe", 
":\ProgramData\dllhost32.exe", ":\ProgramData\hpupdate.exe")) 
OR (ObjectType = "file" AND (EventType In ("File Creation", "File Scan") AND 
(TgtFilePath In Contains Anycase (":\ProgramData\w.exe", ":\w.exe", ":\ProgramData\win.exe", 
":\programdata\lck.exe", ":\ProgramData\dllhost32.exe", ":\ProgramData\hpupdate.exe", 
":\akira_readme.txt", ":\powerranges.txt", "akiranew.txt") OR TgtFilePath RegExp 
"\\Log-[0-9]{2}-[0-9]{2}-20[0-9]{2}-[0-9]{2}-[0-9]{2}\.

EndpointOS = "windows" AND ((ObjectType = "process" AND CmdLine In Contains Anycase (
".\ProgramData\w.exe", ":\w.exe", ":\ProgramData\win.exe", ":\programdata\lck.exe", 
":\ProgramData\dllhost32.exe", ":\ProgramData\hpupdate.exe")) 
OR (ObjectType = "file" AND (EventType In ("File Creation", "File Scan") AND 
(TgtFilePath In Contains Anycase (":\ProgramData\w.exe", ":\w.exe", ":\ProgramData\win.exe", 
":\programdata\lck.exe", ":\ProgramData\dllhost32.exe", ":\ProgramData\hpupdate.exe", 
":\akira_readme.txt", ":\powerranges.txt", "akiranew.txt") OR TgtFilePath RegExp 
"\\Log-[0-9]{2}-[0-9]{2}-20[0-9]{2}-[0-9]{2}-[0-9]{2}\.

Note: These threat hunting queries may need to be tuned for your specific network environment.

Yara

rule Akira_ransomware_executable
{
    meta:
        author = "areteir.com"
        description = "Detects the Akira ransomware executable"
        target = "Windows systems"
        file_type = "exe"
        copyright = "Copyright © 2024 by Arete Advisors, LLC."
        distribution = "No re-distribution without Arete Advisors, LLC consent."

    strings:
        $ns1 = "Shadowcopy" ascii wide nocase
        $ns2 = "Remove-WmiObject" ascii wide nocase
        $ns3 = "write_encrypt_info" ascii wide nocase
        $ns4 = "Log-%d-%m-%Y-%H-%M-%S" ascii wide nocase
        $as1 = "--encryption_path" ascii wide nocase
        $as2 = "--share_file" ascii wide nocase
        $as3 = "--encryption_percent" ascii wide nocase
        $as4 = "-localonly" ascii wide nocase
        $ms1 = "megazord\\src\\main.rs" ascii wide nocase
        $ms2 = "megazord::windowsmegazord\\src\\windows.rs" ascii wide nocase
        $ms3 = "megazord::path_findermegazord\\src\\path_finder.rs" ascii wide nocase
        $ms4 = "megazord\\src\\lock.rs" ascii wide nocase
        $pdb1 = ":\\rust\\megazord" ascii wide nocase
        $pdb2 = "\\release\\deps\\megazord.pdb" ascii wide nocase
        $dls = "akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad" ascii wide nocase

condition:
((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
( ( (2 of ($ns*)) and (3 of ($as*)) ) or ( all of ($ms*) ) or ( all of ($pdb*) ) or ($dls) )
}

rule Akira_ransomware_executable
{
    meta:
        author = "areteir.com"
        description = "Detects the Akira ransomware executable"
        target = "Windows systems"
        file_type = "exe"
        copyright = "Copyright © 2024 by Arete Advisors, LLC."
        distribution = "No re-distribution without Arete Advisors, LLC consent."

    strings:
        $ns1 = "Shadowcopy" ascii wide nocase
        $ns2 = "Remove-WmiObject" ascii wide nocase
        $ns3 = "write_encrypt_info" ascii wide nocase
        $ns4 = "Log-%d-%m-%Y-%H-%M-%S" ascii wide nocase
        $as1 = "--encryption_path" ascii wide nocase
        $as2 = "--share_file" ascii wide nocase
        $as3 = "--encryption_percent" ascii wide nocase
        $as4 = "-localonly" ascii wide nocase
        $ms1 = "megazord\\src\\main.rs" ascii wide nocase
        $ms2 = "megazord::windowsmegazord\\src\\windows.rs" ascii wide nocase
        $ms3 = "megazord::path_findermegazord\\src\\path_finder.rs" ascii wide nocase
        $ms4 = "megazord\\src\\lock.rs" ascii wide nocase
        $pdb1 = ":\\rust\\megazord" ascii wide nocase
        $pdb2 = "\\release\\deps\\megazord.pdb" ascii wide nocase
        $dls = "akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad" ascii wide nocase

condition:
((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
( ( (2 of ($ns*)) and (3 of ($as*)) ) or ( all of ($ms*) ) or ( all of ($pdb*) ) or ($dls) )
}

rule Akira_ransomware_executable
{
    meta:
        author = "areteir.com"
        description = "Detects the Akira ransomware executable"
        target = "Windows systems"
        file_type = "exe"
        copyright = "Copyright © 2024 by Arete Advisors, LLC."
        distribution = "No re-distribution without Arete Advisors, LLC consent."

    strings:
        $ns1 = "Shadowcopy" ascii wide nocase
        $ns2 = "Remove-WmiObject" ascii wide nocase
        $ns3 = "write_encrypt_info" ascii wide nocase
        $ns4 = "Log-%d-%m-%Y-%H-%M-%S" ascii wide nocase
        $as1 = "--encryption_path" ascii wide nocase
        $as2 = "--share_file" ascii wide nocase
        $as3 = "--encryption_percent" ascii wide nocase
        $as4 = "-localonly" ascii wide nocase
        $ms1 = "megazord\\src\\main.rs" ascii wide nocase
        $ms2 = "megazord::windowsmegazord\\src\\windows.rs" ascii wide nocase
        $ms3 = "megazord::path_findermegazord\\src\\path_finder.rs" ascii wide nocase
        $ms4 = "megazord\\src\\lock.rs" ascii wide nocase
        $pdb1 = ":\\rust\\megazord" ascii wide nocase
        $pdb2 = "\\release\\deps\\megazord.pdb" ascii wide nocase
        $dls = "akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad" ascii wide nocase

condition:
((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
( ( (2 of ($ns*)) and (3 of ($as*)) ) or ( all of ($ms*) ) or ( all of ($pdb*) ) or ($dls) )
}

Recommended Mitigations

• Utilize an endpoint detection and response (EDR) solution with the capability to halt detected processes and isolate systems on the network based on identified conditions.

• Block any known attacker C2s in the firewall.

• Implement multi-factor authentication on RDP and VPN to restrict access to critical network resources.

• Eliminate unnecessary RDP ports exposed to the internet.

• Block a high number of SMB connection attempts from one system to others in the network over a short period of time.

• Perform periodic dark web monitoring to verify if data is available for sale on the black market.

• Perform penetration tests.

• Periodically patch systems and update tools.

• Monitor connections to the network from suspicious locations.

• Monitor downloads and uploads of files to file-sharing services outside standard work hours.

• Monitor file uploads from domain controllers to the internet.

• Monitor network scans from uncommon servers (e.g., RDP server).

Organizations can find the full list of US government-recommended ransomware prevention and mitigation
guidance here: https://www.cisa.gov/stopransomware/ransomware-guide.

Arete provides data-driven cybersecurity solutions to transform your response to emerging cyber threats.
Click here to learn more.

References

• Arete – Crimeware Report H1 2024

• Arete Turning Tides Crimeware Report H1 2023

• Arete Arsinal Threat Management

• Cybersecurity and Infrastructure Security Agency (CISA) Advisory #StopRansomware: Akira Ransomware

• SentinelOne Megazord Ransomware