Categories
  Encyclosphere.org ENCYCLOREADER
  supported by EncyclosphereKSF

Akira (ransomware)

From Wikipedia - Reading time: 5 min

Akira (ransomware) is a malware which emerged in March 2023.[1] It targeted over 250 entities including: US energy firm BHI Energy,[2] Nissan Australia,[3][4] the Finnish IT services provider Tietoevry,[5][6][7][8] and Stanford University.[9][10] The group has also claimed responsibility for a ransomware attack on the Toronto Zoo, though the zoo has not linked the incident to any particular threat actor.[11] Akira is offered as ransomware-as-a-service. [12]

Akira is estimated to have earned up to $42 million from it's inception in March 2023, until April 2024.[13]

Methods

[edit]

Akira primarily targets Cisco VPN products as an attack vector to breach networks, especially those without multi-factor authentication enabled[14].[15] The group uses publicly available or natively installed tools and techniques for lateral movement. There are both Windows and Linux variants of Akira ransomware.

Akira uses double-extortion ransomware techniques, in which data is exfiltrated from the environment before it is encrypted with threats to publish this data if a ransom is not paid.[16]

Akira v2

[edit]

Akira v2 is written in Rust and is designed to locate files based on specific parameters, tailoring encryption to more specific file types.[17] These file types are often associated with database project files, optical media, Exchange mailbox databases, virtual hard disks, and other file types associated with virtualization and virtual machines.

Key Generation

[edit]

Akira used CryptGenRandom to generate a symmetric key, which itself was then encrypted by the combination of a ChaCha20 stream cipher and an RSA-4096 public key, which was appended to the end of encrypted files.[1] The threat actors possessed the private key, preventing decryption without paying a ransom.

Akira ransomware has both a Windows and Linux version, though the Windows version uses the Windows CryptoAPI library while the Linux varient uses the Crypto++ library to encrypt devices when the ransomware is deployed.

Decryptor

[edit]

In June of 2023, Avast released a decryptor for the Akira ransomware, likely exploiting the partial file encryption approach used at the time to crack the encryption without obtaining any keys.[18] The decryptor does not work natively on Linux systems, and if needed it is recommended to use a WINE layer to run the decryptor on a Linux machine.

References

[edit]
  1. ^ a b "#StopRansomware: Akira Ransomware | CISA". www.cisa.gov. April 18, 2024.
  2. ^ "BHI-notice". www.documentcloud.org. Retrieved 2025-03-08.
  3. ^ Paganini, Pierluigi (December 22, 2023). "Akira ransomware gang claims the theft of sensitive data from Nissan Australia". Security Affairs.
  4. ^ "Nissan Australia cyberattack claimed by Akira ransomware gang". BleepingComputer. Retrieved 2025-03-08.
  5. ^ Paganini, Pierluigi (January 24, 2024). "Akira ransomware attack on Tietoevry disrupted the services of many Swedish organizations". Security Affairs.
  6. ^ "Akira ransomware hits cloud service Tietoevry; numerous Swedish customers affected". therecord.media.
  7. ^ Tietoevry.com. "Restoration work progressing at Tietoevry". www.tietoevry.com. Retrieved 2025-03-08.
  8. ^ Tietoevry.com. "UPDATE: Ransomware attack in Swedish data center". www.tietoevry.com. Retrieved 2025-03-08.
  9. ^ Staff, S. C. (January 22, 2024). "Akira ransomware group's changing tactics: What you need to know". SC Media.
  10. ^ "Stanford says data from 27,000 people leaked in September ransomware attack". therecord.media.
  11. ^ "Toronto Zoo shares update on last year's ransomware attack". BleepingComputer. Retrieved 2025-03-08.
  12. ^ "Akira ransomware compromised at least 63 victims since March, report says". therecord.media.
  13. ^ Paganini, Pierluigi (April 21, 2024). "Akira ransomware received $42M in ransom payments from over 250 victims". Security Affairs.
  14. ^ Sead Fadilpašić (October 14, 2024). "Veeam vulnerability exploited to deploy malware via compromised VPN credentials". TechRadar.
  15. ^ "#StopRansomware: Akira Ransomware | CISA". www.cisa.gov. 2024-04-18. Retrieved 2025-03-08.
  16. ^ "Akira, GOLD SAHARA, PUNK SPIDER, Group G1024 | MITRE ATT&CK®". attack.mitre.org. Retrieved 2025-03-08.
  17. ^ Brown, Jade. "Akira Ransomware: A Shifting Force in the RaaS Domain". Bitdefender Blog. Retrieved 2025-03-08.
  18. ^ Team, Threat Research (2023-06-29). "Decrypted: Akira Ransomware". Avast Threat Labs. Retrieved 2025-03-07.

See also

[edit]
Stub icon

This article about a criminal organization is a stub. You can help Wikipedia by expanding it.

Licensed under CC BY-SA 3.0 | Source: https://en.wikipedia.org/wiki/Akira_(ransomware)
6 views | Status: cached on March 09 2025 06:47:39
Download as ZWI file
Encyclosphere.org EncycloReader is supported by the EncyclosphereKSF