Title: The Emergence and Tactics of the Akira Ransomware Group
Introduction:
In May 2023, the Sophos MDR Threat Intelligence team published a blog post highlighting the rise of the Akira ransomware group. This group had quickly gained notoriety in the cybersecurity landscape, targeting small to medium-sized businesses and posting hundreds of alleged victims on their data leak site. As Sophos responded to over a dozen incidents involving Akira, they observed key trends and tactics employed by the group.
Akira’s Targeting and Attacks:
According to Sophos’ dataset, Akira primarily targeted organizations in Europe, North America, and Australia, spanning various sectors such as government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications. The timeline of observed Akira attacks highlights their increasing activity since their inception in March.
Shift in Operations:
Starting in October, Sophos noted a shift in Akira’s tactics, with the group performing extortion-only operations. In these cases, the actors exfiltrated data from the victim’s environment without deploying ransomware or encrypting systems. This change marked a new phase for the group, demonstrating their adaptability and desire to maximize their impact.
Variants and Backdoor Usage:
Sophos encountered only a single case in which Akira used the Megazord ransomware variant in late August. However, the group typically relied on different tactics. In one incident, Sophos discovered Akira actors using a previously unreported backdoor (exe) to establish command-and-control (C2). This deviation from their norm of using dual-use agents for C2 purposes demonstrated their evolving techniques.
Attack Chain:
The initial access method frequently employed by Akira involved unauthorized logins to VPNs lacking multi-factor authentication (MFA). Cisco VPN products without MFA, such as Cisco ASA SSL VPN or Cisco AnyConnect, were often targeted. The threat actors also exploited known vulnerabilities in VPN software. Credential access was facilitated through various methods, including minidumping LSASS process memory, acquiring credentials stored in Active Directory, and exploiting vulnerabilities in Veeam backup services.
Discovery and Lateral Movement:
Akira actors used built-in ping and net commands to discover additional systems and assess the status of target devices. They often enumerated Active Directory information, focusing on the Domain Administrators and Local Administrators groups. Remote Desktop Protocol (RDP) with valid local administrator accounts was the most common method used for lateral movement. SMB and Impacket module wmiexec were also employed in conjunction with RDP. Additionally, the attackers utilized tools like VmConnect.exe to manage virtual machines running on Hyper-V hosts.
Persistence and Privilege Escalation:
To maintain persistence, Akira actors created user accounts and added them to security-enabled local groups. They also reset passwords for domain accounts and added newly created users to the Special Accounts registry key. In some instances, the threat actors created new domain groups and added their accounts to elevate privileges within compromised systems.
Conclusion:
The emergence of the Akira ransomware group has posed a significant threat to small to medium-sized businesses across multiple sectors and geographical regions. Their evolving tactics, such as performing extortion-only operations and utilizing new backdoors, demonstrate their adaptability and determination. Understanding Akira’s attack chain and techniques is crucial for organizations to enhance their cybersecurity measures and mitigate the risk of falling victim to this ransomware group.