Akira - The old-new style crime
_Overview
⚠️This is only a small excerpt from the original report, which can be found in the corresponding section, the report has been created thanks to the collaboration of Josh Penny [@josh_penny]⚠️
Akira is a Threat Actor (TA) categorized within the criminal groups related to Ransomware, whose main objective is to gain money through extortion. The attack procedures of the Akira gang have varied over time since their first appearance in 2022. Since this date, they have been increasing their list of victims by following methodologies similar to other criminal groups. Akira is one of the principal TAs in terms of victims in recent years, consistently rising annually in the TOPs
The TA has utilized different tools such as malware and vulnerability exploitation during their attacks. Depending on the victims, we have observed phases aimed at avoiding detection, lateral movements, and various exfiltration methods that have evolved and adapted to their needs. The crown jewel of their operations is the use of the ransomware that gives them their name: Akira
The malware has also undergone significant changes over time. However, as we will see below, its core functionality has not varied greatly. It retains various capabilities such as controlling disk drives, managing running processes, multi-threaded operation, and, of course, encrypting files and writing ransom notes on the victim’s devices
Akira maintains a close relationship with Conti, the ransomware used by WizardSpider. In fact, the code of Akira’s ransomware in some parts is an evolution or another version of the famous ransomware used by the Russian group. Therefore, the community often considers Akira a subgroup of WizardSpider. Additionally, Akira has also been seen to have a close relationship with anothers famous ransomware gangs like BlackByte, Lockbit or Snatch
_Technical Analysis
As mentioned earlier, the methods of intrusion have evolved over time. However, the summary that can be drawn from their KillChain could be the following:
During the analysis of Akira samples, a multitude of samples have been considered in order to locate all available versions, with the intention of better understanding its operation and to exercise a more detailed view of all of them, as well as better detection opportunities based on both the group’s behavior and the samples used in their attacks
The general behaviour of the samples, taking into account certain differences, would be given by the following thread:
After the sample is executed, Akira will obtain information from the affected device, such as machine name, get the timezone, etc.
Afterwards, it will extract the available commands that can be used to execute the sample and start building a log where it will eventually write based on errors, problems, or useful information about the tasks it is performing. The log will only be present in some versions
Subsequently, it will start extracting the disks installed on the device and retrieve the internal list of directories and extensions that it will use later. It will also construct a PowerShell command to delete the shadow copies and, depending on the version, will either create the public AES key directly or, alternatively, load AES library and functions in memory and perform the same behaviour at runtime
After this, Akira will create multiple threads that will simultaneously enter the folders of each disk. It will check, based on its internal list, whether it wants to access each folder, and then check all files against another list to see if it can affect them, while also dropping the ransom note. Meanwhile, it will open the files it wants to work on and encrypt them using ChaCha. Once completed, it will change their extensions
The general functionality of the ransomware sample involves a preparation phase where it gathers information about the affected device. Depending on the version, it also creates a LOG in the folder where the sample is executed and retrieves usable commands from Akira.
After this preliminary phase, it focuses on first identifying which drives are available on the affected device, which is very common in this type of malware. It will enumerate and store the drives, and this behavior is similar in most of the analyzed samples
After this, it will perform various routines to obtain both the extensions and the name of the ransom note, saving them along with different file extensions.
These extensions will be used in different ways, controlling both these and the folders it can access, file sizes depending on extensions, etc.
Following this, it will monitor the processes that are currently running, listing and saving them, and then compare them with its previously extracted internal list
Afterwards, it will perform a very important routine for deleting shadow copies and preventing system recovery, but in a manner quite different from the ShellExecute methods we are accustomed to or similar technique, but, the result is the execution of a powershell that deletes them using WMI
Powershell.exe -Command "Get-WmiObject Win32_ShadowCopy | Remove-WmiObject"After this, it will carry out various functions focused on creating and managing multithreading, followed by an extensive routine where it will perform various tasks, including the creation of the Readme file. To do this, Akira will work with multiple threads validates entering the first disk, checking each folder, while simultaneously writing and validating
So, ultimately, we will see, on one hand, how it has loaded the ransom note, how it is comparing the file extensions with its internal list
Once it has checked if it should access the path, since it already has the content loaded and the name of the ransom note file prepared, it is only worth noting that in the paths it can traverse, it will leave a copy, not just in root paths or on the desktop. The friendly attackers will leave you an address for you to access and communicate with them and pay them, classic
After running the ransom note file in parallel, checking access to folders, and determining which files it can affect, Akira also verifies the file size before proceeding to perform the encryption. It is worth noting that the ransomware operates on multiple files simultaneously, which means that it manages several handles for different files concurrently, as it works with them
After this, all the files will be affected, and you will either have to rely on backups if you have them or pay (which is not recommended)
_Report
_Detection Opportunities
- [TA0002][T1059] Execution via commandline of the sample based on AKIRA parameter
Local or remote execution (T1021 could also fit) of the Akira sample
(Process) powershell.exe | cmd.exe > (Command) \-\-encryption\_path|\-p|\-\-share\_file|\-s|\-\-localonly|\-l|\-\-encryption\_percent|\-n
(Process) powershell.exe | cmd.exe > (Command) (\-\-encryption\_path|\-p|\-\-share\_file|\-s|\-\-localonly|\-l|\-\-encryption\_percent|\-n).*\=\\\\\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*- [TA0009][T1074] Log control creation by Akira
Creation of a control log by Akira
(File-Write) [Ll]og\-\d{2}\-\d{2}\-\d{4}\-\d{2}\-\d{2}\-\d{2}\.txt- [TA0040][T1490] Delete shadows using WMI[TA0040][T1490] Delete shadows using WMI
Akira uses powershell to run a WMI command and delete shadow copies
(Process) powershell.exe > (Command) powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"- [TA0040][T1486] Write readme file by Akira
Creation of the ransomware file by Akira
(File-Write) Akira_Readme.txt | help-you.txt- [TA0006][T1136] Account creation prior to attack
Accounts are created for better management of targeted infrastructure prior to impacts
(Process) cmd.exe > (Command) cmd\.exe\s+\/[qQ]\s+\/[cC]\s+net\s+user\s+\/(dom|domain|add)\s+\d\>.*\\\\\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}- [TA0006][T1003] Dumping credentials via LSASS, SAM & NTDS
Credentials are dumped in different ways to obtain more users
(Command) cmd*/c*comsvcs.dll, MiniDump*lsass*full
(Command) cmd*/c*-c -i*\NTDS\*-o*
(Command) cmd*/c*-c -i*\SYSTEM*-o*
(Command) ntdsutil*ac i ntds*ifm*createfull*q q- [TA0007][T1087] AD account discovery
Akira queries to obtain the maximum knowledge of the Active Directory and hence the infrastructure
(Command) (Get-ADComputer|Get-AdUser)\s+\-Filter.*\-Prop.*Select-Object.*- [TA0005][T1562] Modify FW and disable defenses
Firewall is modified as well as native security elements are disabled to avoid complications in execution or Exfiltration
(Command) netsh advfirewall firewall add rule name=*dir=*protocol=TCP*localport=*action=allow
(Command) Set-MpPreference -DisableRealtimeMonitoring $true- Control over the tools used by Akira
Akira uses in all its killchain a large number of tools, it is necessary to have them under control (knowing the parameters they use, internal names, etc.) The following are the tools they has used
Mimikatz | LaZagne | AnyDesk | Radmin | RustDesk | PCHunter | AdFind | PowerTool | WinSCP | Rclone | FileZilla | SharpHound | MASSCAN | AdvancedIPScanner
e.g. (Tool-Name) Mimikatz > (Parameters) (lsadump::|sekurlsa::|sid::|token::|dpapi::|vault::|crypto::|misc::|kerberos::|privilege::)- Yara
This Yara is a bit generic as I don’t like to publish super strict rules so that we don’t get caught in the detection, sorry for that
rule TA_Ransomware_Akira
{
meta:
description = "Akira: The old-new style crime"
category = "Ransomware"
author = "vc0rexor"
reference = ""
date = "2024-06-01"
strings:
$a1 = "expand 32-byte" wide ascii nocase
$a2 = "akira" ascii nocase
$a3 = "onion" ascii nocase
$a4 = "TOR browser" fullword ascii nocase
$a5 = "--encryption_path" wide ascii nocase
$a6 = "--encryption_percent" wide ascii nocase
$a7 = "CreateThread" fullword ascii nocase
$a8 = "CreateIoCompletionPort" fullword ascii nocase
$a9 = "AcquireSRWLockExclusive" fullword ascii nocase
$a10 = "GetCurrentThreadId" fullword ascii nocase
$a11 = "GetLogicalDriveStrings" fullword ascii nocase
$a12 = "GetQueuedCompletionStatus" fullword ascii nocase
$a13 = "encrypt" ascii nocase
$a14 = "thread pool" fullword ascii nocase
$a15 = "failed" wide ascii nocase
$a16 = "System Volume Information" fullword ascii nocase
$a17 = "Paths Finded" fullword ascii nocase
$b1 = { 0f 11 45 ?? 0f 57 c9 f3 0f 7f 4d ?? 4c 63 c0 33 d2 48 8d 4d ?? e8 ?? ?? fe ff 48 8d 4d ?? 48 83 7d ?? 08 48 0f 43 4d ?? 4c 8d 45 ?? 48 83 7d ?? 10 4c 0f 43 45 ?? 8b 45 ?? 89 44 24 28 48 89 4c 24 20 44 8b 4d ?? 33 d2 33 c9 ff 15 ?? ?? ?? 00 0f 10 45 ?? 0f 11 45 ?? 0f 10 4d ?? 0f 11 4d ?? 66 0f 6f 05 ?? ?? ?? 00 f3 0f 7f 45 ?? 66 89 ?? ?? }
$b2 = { 8b c7 0f 57 c0 0f 11 44 24 ?? 4c 89 74 24 ?? 4d 8b c7 4c 89 74 24 ?? 48 8d 0c 40 48 8b ?? 24 ?? }
$b3 = { 48 8d ?? 27 48 83 ?? e0 48 89 ?? f8 48 89 ?? ?? ?? 8d ?? 00 20 00 00 ?? 89 ?? ?? 33 d2 41 b8 00 20 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? b9 04 01 00 00 ff 15 ?? ?? ?? 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 00 00 00 ?? ?? ?? ?? ?? 8d ?? ?? 66 66 66 0f 1f 84 00 00 00 00 00 }
$b4 = { 0f b7 90 d2 03 00 00 48 8b 84 d0 d8 03 00 00 0f b7 90 d2 03 00 00 48 8b 84 d0 d8 03 00 00 0f b7 90 d2 03 00 00 48 8b 84 d0 d8 03 00 00 0f b7 90 d2 03 00 00 48 8b 84 d0 d8 03 00 00 0f b7 90 d2 03 00 00 48 8b 84 d0 d8 03 00 00 0f b7 90 d2 03 00 00 48 8b 84 d0 d8 03 00 00 0f b7 90 d2 03 00 00 48 8b 84 d0 d8 03 00 00 0f b7 90 d2 03 00 00 48 8b 84 d0 d8 03 00 00 48 83 c1 f8 }
$b5 = { 48 8b 4e ?? e8 ?? ?? ?? 00 48 8d 7c 24 20 48 89 07 48 89 f9 e8 ?? ?? ?? ?? 48 8b 46 28 48 89 47 10 0f 10 46 18 0f 29 07 48 8b 0e e8 ?? ?? ?? 00 48 8d 7c 24 20 48 89 f9 e8 ?? ?? ?? ?? 48 8b 5e 08 48 8d 4b 18 e8 ?? ?? ?? ?? 48 c7 43 18 01 00 00 00 48 83 63 20 00 48 8b 46 08 48 89 07 48 8d 4c 24 20 e8 ?? ?? ?? ?? 90 48 83 c4 40 5b 5f 5e }
condition:
filesize > 500KB
and filesize < 1100KB
and (8 of ($a*) and 2 of ($b*))
and uint16(0) == 0x5a4d
}
_IOC
2CDA932F5A9DAFB0A328D0F9788BD89C
64F8E1B825887AFE3130AF4BF4611C21
A18D79E94229FDF02EF091CF974ED546
3F63951399F8CD578E2A6FAED2C9C0F0
4EDC0EFE1FD24F4F9EA234B83FCAEB6A
C2CBBD6E392A453A47DA69D086756E71
9F801240AF1124B66DEFCD4B4AE63F2A
FD380DB23531BB7BB610A7B32FC2A6D5
BD046164DAF3C30E265D4F9C6647F630
7ca94d84f4a02fb1f608818c1c3ab62d
11a6a4bfa63286feaeaf2c231ce769c3
Adf426e30f8a3383c6696d2f142907d3
F9a3a00b8772103ca109662b32d01934
495afbc7ebae07d50c529c1bd5889f54
491f619c358382872f87e1479c145a5e
0c706908df97857255252837ac1b90c9
D24cd19a50e6d574a0cfdfc07c6d22bb
91[.]132[.]92[.]60
138[.]124[.]184[.]174
148[.]72[.]168[.]13
148[.]72[.]171[.]171
199[.]127[.]60[.]236
45[.]227[.]254[.]26
80[.]66[.]88[.]203
91[.]240[.]118[.]29
152[.]89[.]196[.]111
194[.]26[.]29[.]102
185[.]11[.]61[.]114
23[.]83[.]133[.]104
23[.]108[.]57[.]151
64[.]44[.]102[.]190
20[.]99[.]133[.]109
20[.]99[.]185[.]48
13[.]107[.]4[.]50
192[.]229[.]211[.]108
23[.]216[.]147[.]64
23[.]216[.]147[.]76
64[.]44[.]135[.]135
162[.]159[.]130[.]233
162[.]159[.]134[.]233
162[.]159[.]133[.]233
108[.]177[.]127[.]94
108[.]177[.]119[.]95
108[.]177[.]126[.]132
23[.]106[.]215[.]210
23[.]108[.]57[.]1
157[.]254[.]194[.]99
23[.]106[.]123[.]15
23[.]82[.]140[.]10
23[.]106[.]215[.]64
23[.]108[.]57[.]240
23[.]19[.]58[.]94
23[.]108[.]57[.]94
23[.]81[.]246[.]200
108[.]62[.]118[.]197
23[.]106[.]160[.]141
23[.]106[.]223[.]200
108[.]62[.]118[.]180
23[.]82[.]140[.]122
108[.]177[.]235[.]187
64[.]44[.]102[.]207
45[.]147[.]230[.]83
64[.]44[.]102[.]133
64[.]44[.]102[.]127
108[.]62[.]141[.]243
64[.]44[.]102[.]19
108[.]62[.]118[.]131
64[.]44[.]98[.]232
23[.]108[.]57[.]213
jotuhup[.]com
zuvebeb[.]com
ceyuvigi[.]com
naporiz[.]com
xafehot[.]com
natuzujut[.]com
pucaxejun[.]com
napajep[.]com
nemucefah[.]com
jotuhup[.]com
jugiruturi[.]com
pijixepi[.]com
jahojahi[.]com
hakakebero[.]com
vezawahoy[.]com
sakogabu[.]com
xamayojir[.]com
tevokaxol[.]com
danimos[.]com
vosuxizen[.]com
lugociyah[.]com
duladani[.]com
bukifide[.]com
wijakezada[.]com
yuzowul[.]com
dehelibe[.]com
yavahiyil[.]com
rikukof[.]com
rabihino[.]com
talulime[.]com
http[:]//repairdll[.]net/jHKIOEyC/