1. Home
  2. Groups
  3. Akira

Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.[1] Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2] Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates multiple overlaps with and similarities to Conti malware.[3]

ID: G1024
Associated Groups: GOLD SAHARA, PUNK SPIDER
Version: 1.0
Created: 20 February 2024
Last Modified: 03 October 2024

Associated Group Descriptions

Name Description
GOLD SAHARA

[2]
PUNK SPIDER

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1213 .002 从信息存储库获取数据: Sharepoint

Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.[2]
Enterprise T1482 域信任发现

Akira uses the built-in Nltest utility or tools such as AdFind to enumerate Active Directory trusts in victim environments.[1]

Enterprise T1133 外部远程服务

Akira uses compromised VPN accounts for initial access to victim networks.[2]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Akira uses utilities such as WinRAR to archive data prior to exfiltration.[2]
Enterprise T1486 数据加密以实现影响

Akira encrypts files in victim environments as part of ransomware operations.[3]
Enterprise T1078 有效账户

Akira uses valid account information to remotely access victim networks, such as VPN credentials.[2][1]
Enterprise T1657 财务窃取

Akira engages in double-extortion ransomware, exfiltrating files then encrypting them, in order to prompt victims to pay a ransom.[3]
Enterprise T1531 账号访问移除

Akira deletes administrator accounts in victim networks prior to encryption.[2]
Enterprise T1018 远程系统发现

Akira uses software such as Advanced IP Scanner and MASSCAN to identify remote hosts within victim networks.[1]
Enterprise T1219 远程访问软件

Akira uses legitimate utilities such as AnyDesk and PuTTy for maintaining remote access to victim environments.[2][1]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Akira will exfiltrate victim data using applications such as Rclone.[2]

Software

ID Name References Techniques
S0552 AdFind [1] 域信任发现, 权限组发现: Domain Groups, 系统网络配置发现, 账号发现: Domain Account, 远程系统发现
S1129 Akira [5] Windows管理规范, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 数据加密以实现影响, 文件和目录发现, 本机API, 系统信息发现, 系统恢复抑制, 网络共享发现, 进程发现
S0349 LaZagne [1] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0029 PsExec [1] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S1040 Rclone [1] 归档收集数据: Archive via Utility, 数据传输大小限制, 文件和目录发现, 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 通过网络服务渗出: Exfiltration to Cloud Storage

References

  1. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  2. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  3. Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.
  1. CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.
  2. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.