akira
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group. It's worth noting that with the end of CONTI's operation, several affiliates migrated to independent campaigns such as Royal, BlackBasta, and others. According to some reports, Akira affiliates also work with other ransomware operations, such as Snatch and BlackByte, as an open directory of tools used by an Akira operator was identified, which also had connections to the Snatch ransomware. The first version of the Akira ransomware was written in C++ and appended files with the '.akira' extension, creating a ransom note named 'akira_readme.txt,' partially based on the Conti V2 source code. However, on June 29, 2023, a decryptor for this version was reportedly released by Avast. Subsequently, a version was released that fixed the decryption flaw on July 2, 2023. Since then, the new version is said to be written in Rust, this time called 'megazord.exe,' and it changes the extension to '.powerranges' for encrypted files. Most of Akira's initial access vectors use brute-force attempts on Cisco VPN devices (which use single-factor authentication only). Additionally, exploitation of CVEs: CVE-2019-6693 and CVE-2022-40684 for initial access has been identified. Source: https://github.com/crocodyli/ThreatActors-TTPs
- Business Services
- Manufacturing
- Unspecified
- Hospitality and Tourism
- Consumer Services
- Financial Services
- Transportation/Logistics
- Construction
- TA0001Initial Access
- T1078Valid Accounts
Utilizes compromised VPN credentials.
- T1078.002Valid Accounts: Domain Accounts
Operators use obtained domain accounts for access.
- T1133External Remote Services
Actors exploit CVE-2023-20269 remote service vulnerabilities.
- T1190Exploit Public-Facing Application
Targets vulnerable CISCO devices via CVE-2023-20269.
- TA0002Execution
- T1047Windows Management Instrumentation
Actors may use WMI to continue the attack.
- T1059Command and Scripting Interpreter
Accepts parameters for its routines such as "-n 10" (for encryption percentage) or "-s (filename)" (for shared folder encryption).
- T1059.001Command and Scripting Interpreter: PowerShell
Operators use PowerShell to launch commands to continue operations.
- T1059.002System Services: Service Execution
Akira ransomware uses service execution for persistence.
- T1059.003Command and Scripting Interpreter: Windows Command Shell
Operators use CMD to launch commands to continue operations.
- TA0003Persistence
- TA0004Privilege Escalation
- TA0005Defense Evasion
- TA0006Credential Access
- T1003.001OS Credential Dumping: LSASS Memory
Uses Mimikatz, LaZagne, or a command line to dump LSASS from memory.
- TA0007Discovery
- TA0008Lateral Movement
- TA0009Collection
- T1560.001Archive Collected Data: Archive via Utility
Utilizes discovery to gather information for exfiltration.
- TA0010Exfiltration
- TA0011Command and Control
- T1229Remote Access Software
Utilizes AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk, or Ngrok to gain remote access on targeted systems.
- TA0040Impact