In early September (05/09/2023 – 06/09/2023); Aspire’s Security Operations Centre (SOC) identified, through organic threat hunting, suspicious activity that appeared to be emanating from client systems under the account name ‘svc_veeam’.
After deeper investigation, Aspire’s SOC were able to determine that the activity had stemmed from Consumable ‘AnyConnect’ Virtual Private Network services.
As we all know, Ransomware is designed to relieve victims of their data, through the strategy of encrypting and holding that data to ransom in exchange for a payout for organisations. Just when you thought the tightrope couldn’t be trickier; Akira is a Ransomware-as-a-Service (RaaS) that presents a more malicious twist in its design.
Not only does Akira encrypt victim data, but it also seeks to deny it’s victim any chance of regaining operations by attempting to delete Volume Shadow Copies within affected systems. Just as Mario and Crash Bandicoot require lifelines to progress from level to level, businesses require Volume Snapshots Copies as their lifeline for system backups in maintaining operational vitality. It’s a scary prospect to lose the possibility of restoring systems.
Who is affected by Akira ?
Research suggests that since Akira’s discovery in early 2023, the victimology has remained a steadfast trickle of victims from a variety of sectors, including manufacturing, education, healthcare, and the financial sector to name a few.
The category of exploit that Akira represents is known as Ransomware-as-a-Service, or RaaS. RaaS has taken precedence as a monetised method to allow the less technically skilled affiliates the chance to deliver “Ransomware without the mess” in the form of DIY RaaS Kits. The biggest takeaway from such a commodity, is that threat actors don’t require every attack to be successful to make money.
Overall, RaaS has fast become the antagonist Dragons Den of business models and Aspire’s SOC has been ‘out’ to successfully tackle it.
How does the exploit work?
Akira operates to delete the Volume Shadow Copies within affected devices. The Volume Shadow Services enable the data to be backed up without the need for taking any functions offline. To the more historically savvy, it can be akin to taping over a VHS copy of your wedding with an episode of You’ve Been Framed or Match of the Day, either way both are bad news.
The unique danger with the exploit is that once the target files are deleted, encryption of the current files begins, and the signature finish is proceeded where files are manipulated with the .Akira extension (A calling card perhaps).
What does the exploit target?
- The RaaS is known to compromise accounts via Phishing Campaigns (this was highly likely conducted during earlier phases identified in this exercise).
- The ransomware was reported to spread through insecure Remote Desktop Connections – (this is usually in connection with lack of multi-factor authentication application of the VPN.
- The exploit spreads through lateral movement once access is achieved ( no brute force was necessary due to compromised accounts).
- Possible targeting of accounts with unnecessary admin privileges.
- Volume Shadow Copies deleted.
- Exfiltration and encryption of sensitive data.
How can you identify it?
From the outlook of the collected varied Indicators of Compromise (IOC), such as a computed IOC which is observed as the preamble to the Volume Shadow Copies being deleted, is launched by an executable string that features a distinct format:
- 395876___27698a19-6e7f-4361-9b37-0686d5b85bca.exe Strings such as these were observed during analysis of the exploit.
- exe -Command “Get-WimiObject Win32_Shadowcopy | Remove-WmiObject” – This PS script would generate the action to delete the Volume Shadow Copies. (Reports suggest that in some cases these commands were purposefully obfuscated by the threat actor therefore care and attention should be given when investigating.
- Akira designated encryptor is reported to ignore contents of: Recycle Bin, System Volume Information, Boot data, ProgramData.
- One key giveaway to identifying it is via evidence of any file appends to “.akira” extensions of the original files. In addition, process intentions are to execute the Windows Restart Manager to shut down the system that may be keeping files open preventing further encryption.
- Each affected folder will be appended with ransom note akira_readme.txt.