1. Home
  2. Software
  3. Akira

Akira

Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity Akira. Akira ransomware has been used in attacks across North America, Europe, and Australia, with a focus on critical infrastructure sectors including manufacturing, education, and IT services. Akira ransomware employs hybrid encryption and threading to increase the speed and efficiency of encryption and runtime arguments for tailored attacks. Notable variants include Rust-based Megazord for targeting Windows and Akira _v2 for targeting VMware ESXi servers.[1][2][3]

ID: S1129
Type: MALWARE
Platforms: Windows
Contributors: Jiraput Thamsongkrah
Version: 2.0
Created: 04 April 2024
Last Modified: 11 March 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Akira will execute PowerShell commands to delete system volume shadow copies.[1][2]
.003 Command and Scripting Interpreter: Windows Command Shell

Akira executes from the Windows command line and can take various arguments for execution.[1]
Enterprise T1486 Data Encrypted for Impact

Akira can encrypt victim filesystems for financial extortion purposes including through the use of the ChaCha20 and ChaCha8 stream ciphers.[1][2][3]
Enterprise T1083 File and Directory Discovery

Akira examines files prior to encryption to determine if they meet requirements for encryption and can be encrypted by the ransomware. These checks are performed through native Windows functions such as GetFileAttributesW.[1][3]
Enterprise T1490 Inhibit System Recovery

Akira will delete system volume shadow copies via PowerShell commands.[1][2]
Enterprise T1106 Native API

Akira executes native Windows functions such as GetFileAttributesW and GetSystemInfo.[1]
Enterprise T1135 Network Share Discovery

Akira can identify remote file shares for encryption.[1]
Enterprise T1057 Process Discovery

Akira verifies the deletion of volume shadow copies by checking for the existence of the process ID related to the process created to delete these items.[1]
Enterprise T1082 System Information Discovery

Akira uses the GetSystemInfo Windows function to determine the number of processors on a victim machine.[1]
Enterprise T1047 Windows Management Instrumentation

Akira will leverage COM objects accessed through WMI during execution to evade detection.[1]

Groups That Use This Software

ID Name References
G1024 Akira

[1][3]

References

  1. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  2. CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.
  1. Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.