Akira Ransomware Gains Momentum, Favoring U.S. Targets Across Critical Sectors

Active since March 2023, the Akira ransomware-as-a-service (RaaS) group, also tracked as Howling Scorpius has "consistently ranked" among the top ransomware operators globally. According to Unit 42, Akira has targeted organizations across North America, Europe, and Australia, primarily focusing on the United States. From March 2023 to October 2024, the group posted 231 U.S. victims on its leak site, with Canada and the United Kingdom trailing at 26 and 19 victims, respectively. Evidence from CyberInt last month further supports Akira's activity, as the ransomware gang posted over 30 new victims on its data leak site between November 13 and 14. Akira’s victimology spans critical infrastructure sectors such as agriculture, manufacturing, telecommunications, and construction and other prominent targets in consulting, education, government, legal, pharmaceuticals, technology, and wholesale. Major technology platforms targeted include Windows, Linux, and ESXi hosts based on the group’s available encryptors. Of further concern are Akira's ties to other cybercrime entities, such as Conti and LockBit, with a boost to Akira's personnel following LockBit's takedown, as identified by RedSense co-founder Yelisey Bohuslavskiy. There is also an apparent relationship with the Megazord ransomware strain, given similarities in the ransom notes and the use of the same negotiation site.

Akira’s RaaS model leverages a double-extortion strategy, exfiltrating sensitive data before encrypting files to maximize pressure on victims. Akira affiliates gain initial access through compromised credentials, often sourced from initial access brokers (IABs) or phishing campaigns. Accounts lacking multi-factor authentication (MFA) are particularly targeted. Affiliates exploit vulnerable external-facing services such as Cisco appliances, Remote Desktop Protocol (RDP), and VPNs. Credential theft techniques include tools like Mimikatz, LaZagne, and the abuse of comsvcs.dll for dumping LSASS memory, alongside copying the SYSTEM registry hive, NTDS.dit files, and leveraging Kerberoasting to facilitate privilege escalation. To achieve persistence, new domain accounts are established. Unit 42 corroborates CISA's Akira report from April 18, 2024, which details using account names such as "itadm." Unit 42 also observed affiliates exploiting vCenter instances, shutting down domain controller VMs, extracting their Virtual Machine Disk (VMDK) files, and retrieving sensitive credential data.

For lateral movement, affiliates employ tools such as PsExec, Windows Management Instrumentation (WMI), and SMB. Network scanning utilities like Advanced IP Scanner are used to identify critical assets, while PowerShell scripts query Active Directory for sensitive user and group data. Defense evasion tactics include disabling Windows Defender, uninstalling endpoint detection agents, and leveraging vulnerable drivers under the "Bring Your Own Driver" technique. In some cases, attackers create virtual machines to bypass host defenses by running ransomware within isolated VM environments—an approach known as "Bring Your Own VM." Preparing for the final stage, WinRAR is used to archive files of interest, with exfiltration conducted through tools like WinSCP, RClone, and FileZilla utilizing the File Transfer Protocol. Encryption commences with Akira's Windows encryptor, utilizing the ChaCha20 algorithm, with RSA used to secure encryption keys.

Further insights into techniques targeting other platforms are highlighted by Unit 42, including Linux/ESXi variants that modify the syslog logs directory to /tmp, likely to disable logging and prevent core dump collection. "It’s likely they did this to disable logging and disable the Core Dump file." Recent updates to the Akira ransomware include the introduction of a Rust-based variant, Akira_v2, which adds functionalities such as VM-specific targeting and enhanced encryption capabilities. Akira's evolving tactics, techniques, and procedures (TTPs) reflect a continuous effort to refine its ransomware operations. The group’s ability to exploit multiple platforms, the high volume of reported Akira victims, and its deep connections within the cybercrime ecosystem emphasize the gravity of the threat posed by the Akira ransomware gang.