Description
The new Akira ransomware operation has been targeting enterprise networks worldwide, breaching network, encrypting files, and demanding million-dollar ransoms.
Details
This ransomware operation was launched in March 2023. As of May 2023, approximately two (2) months from launch, the ransomware gang claims to have successfully breached sixteen (16) companies ranging from various industries in education, finance, real estate, manufacturing, and consulting. MalwareHunterTeam, the researchers behind the discovery of Akira stated that this new ransomware operation is not believed to be related to another ransomware operation of the same name, which was released in 2017.
According to pcrisk.com, the ransomware is distributed primarily through infected email attachments, but it can also be found on files from torrent sites, malicious ads, or pirated software. When the ransomware is executed, it first deletes Windows Shadow Volume Copies on the infected device. Before encrypting, the ransomware gang would try to leverage corporate or sensitive data to use in their extortion attempts against the victims. Akira would then proceed to encrypt all files that contains the following extensions:
.accdb, .accde, .accdc, .accdt, .accdr, .adb, .accft, .adf, .ade, .arc, .adp, .alf, .ora, .btr, .ask, .cat, .bdf, .ckp, .cdb, .cpd, .cma, .dad, .dacpac, .daschema, .dadiagrams, .db-shm, .db-wal, .dbf, .dbc, .dbt, .dbs, .dbx, .dbv, .dct, .dcb, .ddl, .dcx, .dlis, .dsk, .dqy, .dtsx, .dsn, .eco, .dxl, .edb, .ecx, .exb, .epim, .fdb, .fcd, .fmp, .fic, .fmpsl, .fmp12, .fol, .fpt, .gdb, .frm, .gwi, .grdb, .his, .hdb, .idb, .itdb, .ihx, .jet, .itw, .kdb, .jtx, .kexic, .kexi, .lgc, .kexis, .maf, .lwx, .mar, .maq, .mav, .mas, .mdf, .mdb, .mrg, .mpd, .mwb, .mud, .ndf, .myd, .nrmlib, .nnt, .nsf, .nyf, .nwdb, .oqy, .odb, .owc, .orx, .pdb, .pan, .pnz, .pdm, .qvd, .qry, .rctd, .rbf, .rodx, .rod, .rsd, .rpd, .sbf, .sas7bdat, .sdb, .scx, .sdf, .sdc, .spq, .sis, .sqlite, .sql, .sqlitedb, .sqlite3, .temx, .tps, .tmd, .trm, .trc, .udl, .udb, .usr, .vpd, .vis, .wdb, .vvv, .wrk, .wmdb, .xld, .xdb, .abcddb, .xmlff, .abx, .abs, .adn, .accdw, .icg, .hjt, .kdb, .icr, .maw, .lut, .mdt, .mdn, .vhd, .vdi, .pvm, .vmdk, .vmsn, .vmem, .nvram, .vmsd, .raw, .vmx, .subvol, .qcow2, .vsv, .bin, .vmrs, .avhd, .avdx, .vhdx, .iso, .vmcx
The ransomware would encrypt any of these files found and append the .akira extension to them. The Akira encryptor however would skip files located in the Recycle Bin, System Volume Information, Boot, ProgramData, and Windows folders. It will also avoid encrypting Windows system files with.exe, .lnk, .dll, .msi, and .sys file extensions. It is suspected that this is intentional as the ransomware gang does not want to render the infected device inoperable. Each folder on the infected device will contain the ransom note named akira_readmw.txt which will include information on what occurred and links to the Akira data leak site and negotiation site. The ransom note provides a unique password for each of its victims to use to access the ransomwares negotiation website. This website is a chat room that is used to communicate with the threat actors.
Akira can also utilize the Windows Restart Manager API (Application Programming Interface) to terminate processes or Windows services that may be keeping a file active or open and preventing it from encryption.
Indicators of Compromise
MD5 hash – 431d61e95586c03461552d134ca54d16
SHA-256 – 67afa125bf8812cd943abed2ed56ed6e07853600ad609b40bdf9ad4141e612b4
Remediation
To protect yourself against ransomware attacks like Akira, it is recommended to practice proper cyber security hygiene when navigating the internet. Here are some tips to consider:
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Akira targets enterprise networks worldwide.pdf
References