What is AKIRA ransomware? The novel in the notoriety.

In early September (05/09/2023 – 06/09/2023); Aspire’s Security Operations Centre (SOC) identified, through organic threat hunting, suspicious activity that appeared to be emanating from client systems under the account name ‘svc_veeam’.

After deeper investigation, Aspire’s SOC were able to determine that the activity had stemmed from Consumable ‘AnyConnect’ Virtual Private Network services.

As we all know, Ransomware is designed to relieve victims of their data, through the strategy of encrypting and holding that data to ransom in exchange for a payout for organisations. Just when you thought the tightrope couldn’t be trickier; Akira is a Ransomware-as-a-Service (RaaS) that presents a more malicious twist in its design.

Not only does Akira encrypt victim data, but it also seeks to deny it’s victim any chance of regaining operations by attempting to delete Volume Shadow Copies within affected systems. Just as Mario and Crash Bandicoot require lifelines to progress from level to level, businesses require Volume Snapshots Copies as their lifeline for system backups in maintaining operational vitality. It’s a scary prospect to lose the possibility of restoring systems.

Who is affected by Akira ?

Research suggests that since Akira’s discovery in early 2023, the victimology has remained a steadfast trickle of victims from a variety of sectors, including manufacturing, education, healthcare, and the financial sector to name a few.

The category of exploit that Akira represents is known as Ransomware-as-a-Service, or RaaS. RaaS has taken precedence as a monetised method to allow the less technically skilled affiliates the chance to deliver “Ransomware without the mess” in the form of DIY RaaS Kits. The biggest takeaway from such a commodity, is that threat actors don’t require every attack to be successful to make money.

Overall, RaaS has fast become the antagonist Dragons Den of business models and Aspire’s SOC has been ‘out’ to successfully tackle it.

How does the exploit work?

Akira operates to delete the Volume Shadow Copies within affected devices. The Volume Shadow Services enable the data to be backed up without the need for taking any functions offline. To the more historically savvy, it can be akin to taping over a VHS copy of your wedding with an episode of You’ve Been Framed or Match of the Day, either way both are bad news.

The unique danger with the exploit is that once the target files are deleted, encryption of the current files begins, and the signature finish is proceeded where files are manipulated with the .Akira extension (A calling card perhaps).

What does the exploit target?

• The RaaS is known to compromise accounts via Phishing Campaigns (this was highly likely conducted during earlier phases identified in this exercise).
• The ransomware was reported to spread through insecure Remote Desktop Connections – (this is usually in connection with lack of multi-factor authentication application of the VPN.
• The exploit spreads through lateral movement once access is achieved ( no brute force was necessary due to compromised accounts).
• Possible targeting of accounts with unnecessary admin privileges.
• Volume Shadow Copies deleted.
• Exfiltration and encryption of sensitive data.

How can you identify it?

From the outlook of the collected varied Indicators of Compromise (IOC), such as a computed IOC which is observed as the preamble to the Volume Shadow Copies being deleted, is launched by an executable string that features a distinct format:

• 395876___27698a19-6e7f-4361-9b37-0686d5b85bca.exe Strings such as these were observed during analysis of the exploit.
• exe -Command “Get-WimiObject Win32_Shadowcopy | Remove-WmiObject” – This PS script would generate the action to delete the Volume Shadow Copies. (Reports suggest that in some cases these commands were purposefully obfuscated by the threat actor therefore care and attention should be given when investigating.
• Akira designated encryptor is reported to ignore contents of: Recycle Bin, System Volume Information, Boot data, ProgramData.
• One key giveaway to identifying it is via evidence of any file appends to “.akira” extensions of the original files. In addition, process intentions are to execute the Windows Restart Manager to shut down the system that may be keeping files open preventing further encryption.
• Each affected folder will be appended with ransom note akira_readme.txt.

What actions can you take?

Whilst the trend is going viral; no pun intended, the important fact to remember here is that you are only as strong as your weakest click. The phishing click that is.

So what should you do?

Well from Aspire’s findings and due diligence our recommendations are that the admins among you should actively keep on top of regular back-ups and patching of the system and networks. As with most, if not all ransomware, the kink in the chain is that even the best of us drops the ball when it comes to phishing campaigns.

What can you do to defend yourself? You should bolster email security with DMARC, DKIM and Sender Policy Framework to maintain verification of all correspondence.

Remain diligent and refrain from clicking suspicious links within emails to mitigate downloads of malicious strains, codes, and unwanted applications.

Establishment of strong passwords and MFA is the next obstacle that threat actors must traverse for further access, any email policy is in vain if a user’s password is breakable.

Regular security postures during audits of domains and servers to establish any abnormal instances such as new or suspicious users.

Last but not least, it’s definitely important to consider becoming involved with a Managed Cyber Security Service such as Aspires Security Operations Centre. Through Aspires services, we can provide assured and proven 24/7 and 365 prevention, detection and near-real time response through instant access Advanced Threat Protection, fully tailorable to any organisation.