Posted on September 1, 2023
Estimated reading time 4 minutes
An emerging ransomware named Akira has been identified in the wild by the Atech security team targeting an array of organisations, typically SMB’s.
Akira ransomware exfiltrates and encrypts a customer’s data using a double-extortion technique. The attackers then threaten to sell or leak the stolen data on the dark web if the ransom is not paid for decrypting the data.
The exploitation techniques appear to be leveraging accounts and targeting VPNs which don’t have MFA enabled to facilitate the initiation of the attack.
Upon launch, the ransomware payloads will launch PowerShell commands to remove volume shadow copies (VSS). The ransomware appends the .akira extension to all files that are affected by the encryption. If a file is locked by the Windows operating system, the ransomware will attempt to utilise the Windows Restart Manager (WRM) API to address said issues. VSS removal is handled via PowerShell command. The ransomware payloads are also known to contain hard-coded extensions to process for encryption, along with an exclusion list to prevent anything from inhibiting the encryption process. Affected files have a .akira extension added to them and a README file is dropped on to the system with the ransom note.
Advice & Recommendations
As the ransomware group leverage different techniques to access a vulnerable network, the mitigations are common to any ransomware attack protection.
- Educate Customers : Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails & malicious attachments.
- Implement Strong Passwords : Organisations should implement strong, unique passwords for all user accounts. Review their password policy and ensure this conforms to best practices.
- Admin Accounts : Organisations should limit the number of privileged accounts, enforcing MFA and just in time access. No local admin rights should be granted to end users.
- Multi-factor Authentication (MFA) : Enable MFA for all user accounts, to provide an additional layer of security, on all solutions providing authentication.
- Anti-Virus (EDR): All organisations we support should have an up-to-date Anti-virus & Anti-malware (ideally EDR) solution enabled and deployed to all endpoints. Advanced features such as attack surface reduction controls and network protection should also be enforced to prevent such attacks
- Update and Patch Systems : Organisations should regularly update and patch their systems, to fix any known vulnerabilities.
- Implement Backup and Disaster Recovery : Implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from potential attacks.
- Review 3rd Party Licenses / Agreements : Where an organisations has outsourced items of work, teams should review how this impacts the BCDR process and the risks for a speedy recovery.