What is Akira?
Akira is a new family of ransomware, first used in cybercrime attacks in March 2023.
Akira? Haven't we heard of that before?
Maybe you're thinking of the cyberpunk Manga comic books and movie that came out in the 1980s. Or perhaps you're thinking of an unrelated ransomware of the same name which emerged in 2017.
Maybe that's it. So what's the scoop with the new Akira ransomware?
There's two main reasons why the new Akira ransomware is capturing the headlines - the organisations it is said to be extorting, and its curious data leak site.
Okay, so one thing at a time. Who is Akira holding to ransom?
According to announcements Akira's leak website on the dark web, the ransomware has already hit a variety of organisations in the finance, real estate, and manufacturing sectors as well as a children's daycare centre.
Why would someone try to extort money from a children's daycare centre?
That's simple to answer. Money. Most of the criminals behind ransomware attacks have no scruples whatsoever as to who they attempt to coerce into paying up. In their eyes it makes no difference if you run a hospice, a children's school, a charity, or a big multinational business. Of course, at the same time we must recognise that many ransomware attacks simply do not discriminate between their victims. The daycare centre in Toronto that has been hit by the Akira ransomware may not have been specifically targeted - it may have simply just been the victim of misfortune.
So when the hackers break into your company's systems, what do they do?
Before triggering the Akira ransomware's encryption routine and posting a ransom demand, the cybercriminals exfiltrate data from hacked corporate networks. Then, when they believe they have stolen enough information to effectively extort a payment from their victim, hackers deploy Akira's payload.
So does Akira follow the usual routine? Encrypt your data files?
Yes, but first it delete Windows Shadow Volume Copies from devices by running a PowerShell command. Then, as you rightly guessed, it proceeds to encrypt a wide range of data filetypes, and appends ".akira" to the end of their filename. According to a report by Bleeping Computer, files with the following extensions are encrypted in the attack:
.abcddb, .abs, .abx, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adb, .ade, .adf, .adn, .adp, .alf, .arc, .ask, .avdx, .avhd, .bdf, .bin, .btr, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db-shm, .db-wal, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .hjt, .icg, .icr, .idb, .ihx, .iso, .itdb, .itw, .jet, .jtx, .kdb, .kdb, .kexi, .kexic, .kexis, .lgc, .lut, .lwx, .maf, .maq, .mar, .mas, .mav, .maw, .mdb, .mdf, .mdn, .mdt, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .nsf, .nvram, .nwdb, .nyf, .odb, .oqy, .ora, .orx, .owc, .pan, .pdb, .pdm, .pnz, .pvm, .qcow2, .qry, .qvd, .raw, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .subvol, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .vdi, .vhd, .vhdx, .vis, .vmcx, .vmdk, .vmem, .vmrs, .vmsd, .vmsn, .vmx, .vpd, .vsv, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff
So, if my company doesn't have a secure backup that it can restore these files from it may find itself in a sticky pickle...
Correct. The ransomware drops a ransom note into each folder where it has encrypted your files, telling you that you'll need to enter a negotiation to get your data back.
"Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal."
How kind of them!
Hmm. In addition, the ransom note offers a "security report" upon payment that the hackers say will reveal the weaknesses that allowed them to wreak their havoc.
"The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data."
Their generosity knows no limit! I guess they won't be so friendly if my company refuses to pay the ransom?
Correct.
"We will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog.
Ah. You mentioned that their dark web leak site was unusual. Why is that?
Maybe it was the case that the ransomware authors felt they couldn't be very creative in the visual appearance of their ransomware itself (as they wouldn't want it to draw too much attention to itself), and so they put their effort into their leak site instead. The Akira leak site, like its adopted name, appears to be happy to live in the 1980s. The site, which is reachable via Tor, adopts an old-school green-on-black theme, with visitors invited to type in commands rather than navigate through a menu.
I'll be honest with you, I rather like the look of it!
Yeah, me too. But I'd probably feel less kindly towards it if it was my data they were extorting for a ransom ranging from $200,000 to millions of dollars.
It's a shame they didn't stick with the retro style and charge 1980s prices!
It's a shame they are committing a crime at all. Our best advice is to follow the same recommendations we have given on how to protect your organisation from other ransomware. Those include:
- making secure offsite backups.
- running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
- Restrict an attacker's ability to spread laterally through your organisation via network segmentation.
- using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypting sensitive data wherever possible.
- reducing the attack surface by disabling functionality which your company does not need.
educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Editor's Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
