Skip to content
The Nexus
Group profile58 claimed in last 30d100 total tracked

akira

Forward this

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group. It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others. According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware. The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast. Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files. Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only). Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified. Source: https://github.com/crocodyli/ThreatActors-TTPs

First seen: May 18 · 00:00 UTCLast seen: Jul 8 · 00:00 UTC
Sectors hit
  • Business Services15
  • Manufacturing11
  • Unspecified7
  • Hospitality and Tourism7
  • Consumer Services7
  • Financial Services3
  • Transportation/Logistics2
  • Construction2
Countries hit
  • United States17
  • United Kingdom4
  • Germany2
  • NJ1
  • Japan1
  • Italy1
  • Spain1
MITRE ATT&CK · observed TTPs12 tactics

Tactics and techniques attributed to AKIRA by ransomware.live's curated TTP catalog. Identifiers link to the canonical MITRE ATT&CK reference for each tactic or sub-technique.

  • TA0001Initial Access
    • T1078Valid Accounts

      Utilizes compromised VPN credentials.

    • T1078.002Valid Accounts: Domain Accounts

      Operators use obtained domain accounts for access.

    • T1133External Remote Services

      Actors exploit CVE-2023-20269 remote service vulnerabilities.

    • T1190Exploit Public-Facing Application

      Targets vulnerable CISCO devices via CVE-2023-20269.

  • TA0002Execution
    • T1047Windows Management Instrumentation

      Actors may use WMI to continue the attack.

    • T1059Command and Scripting Interpreter

      Accepts parameters for its routines such as "-n 10" (for encryption percentage) or "-s (filename)" (for shared folder encryption).

    • T1059.001Command and Scripting Interpreter: PowerShell

      Operators use PowerShell to launch commands to continue operations.

    • T1059.002System Services: Service Execution

      Akira ransomware uses service execution for persistence.

    • T1059.003Command and Scripting Interpreter: Windows Command Shell

      Operators use CMD to launch commands to continue operations.

  • TA0003Persistence
    • T1136.001Create Account: Local Account

      Upon initial access, Akira operators create a local account on the compromised system.

    • T1136.002Create Account: Domain Account

      Upon initial access, Akira operators create a domain account on the compromised system.

  • TA0004Privilege Escalation
    • T1078.002Valid Accounts: Domain Accounts

      Utilizes valid domain accounts for privilege escalation.

    • TA0004Privilege Escalation

      Utilizes local domain accounts for privilege escalation.

  • TA0005Defense Evasion
    • T1112Modify Registry

      Uses commands in its operation to modify registries.

    • T1562.001Impair Defenses: Disable or Modify Tools

      Usage of PowerTool or a KillAV tool abusing the Zemana AntiMalware driver to terminate AV-related processes was observed.

  • TA0006Credential Access
    • T1003.001OS Credential Dumping: LSASS Memory

      Uses Mimikatz, LaZagne, or a command line to dump LSASS from memory.

  • TA0007Discovery
    • T1018Remote System Discovery

      Uses Advanced IP Scanner and MASSCAN to discover remote systems.

    • T1082System Information Discovery

      Uses PCHunter and SharpHound to collect system information.

    • TA0007Discovery

      Uses AdFind, Windows net command, and nltest to collect domain information.

  • TA0008Lateral Movement
    • T1021.001Remote Services: Remote Desktop Protocol

      Utilizes remote services for accessing accounts and machines through remote services.

    • T1570Lateral Tool Transfer

      Uses RDP to move laterally within the victim's network.

  • TA0009Collection
    • T1560.001Archive Collected Data: Archive via Utility

      Utilizes discovery to gather information for exfiltration.

  • TA0010Exfiltration
    • T1048.003Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

      Utilizes FileZilla or WinSCP to exfiltrate stolen information via FTP.

    • T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

      Uses RClone to exfiltrate stolen information via a web service.

  • TA0011Command and Control
    • T1229Remote Access Software

      Utilizes AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk, or Ngrok to gain remote access on targeted systems.

  • TA0040Impact
    • T1486Data Encrypted for Impact

      Akira ransomware is used to encrypt files.

    • T1490Inhibit System Recovery

      Deletes shadow copies to inhibit recovery.

Recent claimed victims
Jul 8 · 15:54 UTC

Wade's Dairy

Agriculture and Food ProductionUnited KingdomJul 8 · 13:21 UTC

Wade's Dairy

Jul 7 · 16:52 UTC

Chisholm Persson & Ball

Jul 7 · 16:52 UTC

RISE Architecture

Jul 7 · 15:55 UTC

Excalibur Rentals

Jul 7 · 14:54 UTC

Edge Solutions | Stone Ridge Payments

Business ServicesJul 7 · 14:21 UTC

RISE Architecture

Business ServicesJul 7 · 13:51 UTC

Chisholm Persson & Ball

Consumer ServicesJul 7 · 13:22 UTC

Excalibur Rentals

Financial ServicesUnited StatesJul 7 · 12:21 UTC

Edge Solutions | Stone Ridge Payments

Jul 1 · 15:58 UTC

Refinery Hotel

Hospitality and TourismJul 1 · 13:50 UTC

Refinery Hotel

Jun 30 · 14:56 UTC

Advanced Business Systems

Jun 30 · 14:56 UTC

About Todd Hamaker & Johnson

Business ServicesJun 30 · 12:20 UTC

About Todd Hamaker & Johnson

Business ServicesJun 30 · 11:50 UTC

Advanced Business Systems

Jun 26 · 15:57 UTC

Precise Forms

Business ServicesUnited StatesJun 26 · 12:50 UTC

Precise Forms

preciseforms.com
Jun 25 · 15:48 UTC

Padget Technologies

Jun 25 · 15:48 UTC

JMS Southeast

Business ServicesUnited StatesJun 25 · 12:20 UTC

JMS Southeast

jms-se.com
TechnologyUnited StatesJun 25 · 11:50 UTC

Padget Technologies

padgettechnologies.com
Jun 24 · 15:53 UTC

Jit Ex

Jun 24 · 14:51 UTC

Miami Machine

ManufacturingUnited StatesJun 24 · 12:20 UTC

Miami Machine

Jun 23 · 14:50 UTC

Leo International

Jun 23 · 14:50 UTC

IH Engineers

United StatesJun 23 · 12:20 UTC

Leo International

leointernational.com
ManufacturingUnited StatesJun 23 · 12:20 UTC

IH Engineers

ihengineers.com
Jun 22 · 18:52 UTC

Ntd Apparel

Consumer ServicesJun 22 · 15:50 UTC

Ntd Apparel

Jun 18 · 14:45 UTC

Berg Lilly

Jun 18 · 14:45 UTC

Apptricity

Business ServicesUnited StatesJun 18 · 12:20 UTC

Apptricity

Jun 17 · 15:47 UTC

Smith Filter

ManufacturingJun 17 · 12:50 UTC

Smith Filter

Jun 16 · 15:45 UTC

Insite Architects

Business ServicesJun 16 · 12:50 UTC

Insite Architects

Jun 12 · 15:43 UTC

DDC Domus Design Collection

Consumer ServicesJun 12 · 12:50 UTC

DDC Domus Design Collection

Jun 10 · 16:46 UTC

Port Air Express

Jun 10 · 14:46 UTC

Associated Investor Services

Jun 10 · 14:46 UTC

The Midland Theatre

Transportation/LogisticsJun 10 · 13:50 UTC

Port Air Express

portairexpress.com
Hospitality and TourismUnited KingdomJun 10 · 12:20 UTC

The Midland Theatre

Financial ServicesJun 10 · 11:50 UTC

Associated Investor Services

Jun 9 · 17:46 UTC

Rockaway River Country Club

Jun 9 · 17:46 UTC

Spray Equipment & Service Center

Jun 9 · 16:47 UTC

SMPC Architects

Business ServicesJun 9 · 14:50 UTC

Spray Equipment & Service Center

Jun 9 · 14:46 UTC

Centre Ellipse

Hospitality and TourismNJJun 9 · 14:20 UTC

Rockaway River Country Club

ConstructionJun 9 · 13:50 UTC

SMPC Architects

Jun 8 · 16:49 UTC

HRC Sicherheitsdienste

Business ServicesGermanyJun 8 · 13:50 UTC

HRC Sicherheitsdienste

Jun 5 · 16:45 UTC

Kennon Worldwide

AKIRA · Underground group profile · The Nexus