View infographic of “Ransomware Spotlight: Akira”
Akira is swiftly becoming one of the fastest-growing ransomware families thanks to its use of double extortion tactics, a ransomware-as-a-service (RaaS) distribution model, and unique payment options.
Based on a report that analyzed blockchain and source code data, the Akira ransomware group appears to be affiliated with the now-defunct Conti ransomware gang. Conti, one of the most notorious ransomware families in recent history, is believed to be the descendant of yet another prolific ransomware family, the highly targeted Ryuk ransomware.
As ransomware actors evolve their tactics, create more sophisticated ransomware families, and cause financial and reputational harm to businesses, organizations need to work on improving their cybersecurity posture to effectively thwart complex threats. This report spotlights Akira, a novel ransomware family with highly experienced and skilled operators at its helm.
What organizations need to know about Akira
Akira ransomware emerged in March 2023 and has been known to target companies based in the US and Canada.
Its Tor leak site has a unique retro look that, according to a report from Sophos, is reminiscent of “1980s green-screen consoles” that can be navigated by typing specific commands.
Based on its code, it is completely different from the Akira ransomware family that was active in 2017, even though they both append encrypted files with the same .akira extension.
As previously mentioned, Akira operators are associated with Conti ransomware actors, which explains code similarities in both ransomware families. In July, the Arctic Wolf Labs Team reported that Akira shared code similarities with the Conti ransomware. However, they also noted that when Conti’s source code was leaked, different malicious actors used it to create or tweak their own ransomware code, which makes it even more challenging to trace back ransomware families to Conti operators.
Based on our own analysis, Akira appears to be based on the Conti ransomware: It shares similar routines with Conti, such as string obfuscation and file encryption, and avoids the same file extensions that Conti avoids. We believe that Akira operators’ main motivation for targeting organizations is financial in nature.
The Akira RaaS group performs double extortion tactics and steals victims’ critical data prior to encrypting devices and files. Interestingly, according to reports, Akira operators provide victims the option to pay for either file decryption or data deletion; they don’t force victims into paying for both. According to reports, ransom demands for Akira typically range from US$200,000 to over US$4 million.
On Sept. 12, 2023, the U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) released a security bulletin alerting the healthcare industry of Akira attacks.
In June 2023, just three months after Akira was discovered, Akira expanded its list of targeted systems to include Linux machines. Malware analyst rivitna shared on X that Akira ransomware actors used a Linux encryptor and targeted VMware ESXi virtual machines.
Meanwhile, in August, incident responder Aura reported that Akira was targeting Cisco VPN accounts that didn’t have multifactor authentication (MFA).
Cisco released a security advisory on Sept. 6, 2023, stating that Akira ransomware operators exploited CVE-2023-20269, a zero-day vulnerability in two of their products’ remote access VPN feature: the Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Thread Defense (FTD) software.
Cisco reported that malicious actors who exploit CVE-2023-20269 can identify valid credentials that could be abused to establish unauthorized remote access VPN sessions, and for victims running Cisco ASA Software Release 9.16 or earlier, establish a clientless SSL VPN session.
Recently, Sentinel One released a video analyzing an Akira ransomware variant named Megazord that emerged in August 2023. This variant appears to be referencing a Power Rangers formation because it encrypts files with the “POWERRANGES” file extension. The ransom note, which is named “powerranges.txt,” instructs victims to contact the ransomware actor via TOX messenger.