1. Home
  2. Groups
  3. Akira

Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.[1] Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2] Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates multiple overlaps with and similarities to Conti malware.[3]

ID: G1024
Associated Groups: GOLD SAHARA, PUNK SPIDER
Version: 1.0
Created: 20 February 2024
Last Modified: 03 October 2024
Version Permalink

Associated Group Descriptions

Name Description
GOLD SAHARA

[2]
PUNK SPIDER

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1531 Account Access Removal

Akira deletes administrator accounts in victim networks prior to encryption.[2]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Akira uses utilities such as WinRAR to archive data prior to exfiltration.[2]
Enterprise T1486 Data Encrypted for Impact

Akira encrypts files in victim environments as part of ransomware operations.[3]
Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Akira has accessed and downloaded information stored in SharePoint instances as part of data gathering and exfiltration activity.[2]
Enterprise T1482 Domain Trust Discovery

Akira uses the built-in Nltest utility or tools such as AdFind to enumerate Active Directory trusts in victim environments.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Akira will exfiltrate victim data using applications such as Rclone.[2]
Enterprise T1133 External Remote Services

Akira uses compromised VPN accounts for initial access to victim networks.[2]
Enterprise T1657 Financial Theft

Akira engages in double-extortion ransomware, exfiltrating files then encrypting them, in order to prompt victims to pay a ransom.[3]
Enterprise T1219 Remote Access Software

Akira uses legitimate utilities such as AnyDesk and PuTTy for maintaining remote access to victim environments.[2][1]
Enterprise T1018 Remote System Discovery

Akira uses software such as Advanced IP Scanner and MASSCAN to identify remote hosts within victim networks.[1]
Enterprise T1078 Valid Accounts

Akira uses valid account information to remotely access victim networks, such as VPN credentials.[2][1]

Software

ID Name References Techniques
S0552 AdFind [1] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S1129 Akira [5] Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, File and Directory Discovery, Inhibit System Recovery, Native API, Network Share Discovery, Process Discovery, System Information Discovery, Windows Management Instrumentation
S0349 LaZagne [1] Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Keychain, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, Unsecured Credentials: Credentials In Files
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S1040 Rclone [1] Archive Collected Data: Archive via Utility, Data Transfer Size Limits, Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery

References

  1. Steven Campbell, Akshay Suthar, & Connor Belfiorre. (2023, July 26). Conti and Akira: Chained Together. Retrieved February 20, 2024.
  2. Secureworks. (n.d.). GOLD SAHARA. Retrieved February 20, 2024.
  3. Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.
  1. CrowdStrike. (n.d.). Punk Spider. Retrieved February 20, 2024.
  2. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.