Akira
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Akira will execute PowerShell commands to delete system volume shadow copies.[1] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Akira executes from the Windows command line and can take various arguments for execution.[1] |
||
| Enterprise | T1486 | Data Encrypted for Impact |
Akira encrypts victim filesystems for financial extortion purposes.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as |
|
| Enterprise | T1490 | Inhibit System Recovery |
Akira will delete system volume shadow copies via PowerShell commands.[1] |
|
| Enterprise | T1106 | Native API |
Akira executes native Windows functions such as |
|
| Enterprise | T1135 | Network Share Discovery | ||
| Enterprise | T1057 | Process Discovery |
Akira verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items.[1] |
|
| Enterprise | T1082 | System Information Discovery |
Akira uses the |
|
| Enterprise | T1047 | Windows Management Instrumentation |
Akira will leverage COM objects accessed through WMI during execution to evade detection.[1] |
|