Akira Ransomware Group
| Actor Type | Criminal Group |
|---|
The Akira Ransomware Group is responsible for the Akira ransomware and associated (1980s themed) leaks site. According to reporting, Akira operates a ransomware-as-a-service model with associated attacks utilising double extortion (with encryption and threat of data leaking). The group offers affiliates a comprehensive arsenal capable of encrypting Linux and VMWare ESXi hosts as well as windows machines. The group has also been reported as targeting VPN devices which lack multifactor authentication (MFA).
Analysis by security researchers suggests that the group may have links to Conti based on code similarities (such as ignored files and ChaCha encryption algorithm implementation) and blockchain analysis.
According to CISA, as of January 2024, the group had impacted over 250 organizations and claimed approximately $42 million (USD) in ransom payments. Victim organizations span different sectors globally but the majority appear to be based in the US with manufacturing, education, finance and government particularly badly affected.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Akira Ransomware Group Threat Reports
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
References
arcticwolf.com
https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/www.fortinet.com
https://www.fortinet.com/blog/threat-research/ransomware-roundup-akiranews.sophos.com
https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/www.hhs.gov
https://www.hhs.gov/sites/default/files/akira-ransomware-sector-alert-tlpclear.pdfwww.cisa.gov
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109adecoded.avast.io
https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/#how_toblogs.cisco.com
https://blogs.cisco.com/security/akira-ransomware-targeting-vpns-without-multi-factor-authenticationnews.sophos.com
https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/www.trendmicro.com
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akiraMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1057 | Process Discovery | Discovery |
| T1136.002 | Domain Account | Persistence |
| T1560.001 | Archive via Utility | Collection |
| T1090 | Proxy | Command and Control |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1003.001 | LSASS Memory | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1016 | System Network Configuration Discovery | Discovery |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1069.001 | Local Groups | Discovery |
| T1069.002 | Domain Groups | Discovery |
| T1219 | Remote Access Software | Command and Control |
| T1486 | Data Encrypted for Impact | Impact |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1482 | Domain Trust Discovery | Discovery |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1003 | OS Credential Dumping | Credential Access |
| T1082 | System Information Discovery | Discovery |
| T1018 | Remote System Discovery | Discovery |
| T1657 | Financial Theft | Impact |
| T1490 | Inhibit System Recovery | Impact |
| T1566.002 | Spearphishing Link | Initial Access |