Threat Brief: Understanding Akira Ransomware

SUMMARY :

Akira is a prolific ransomware operating since March 2023, targeting multiple industries in North America, the UK, and Australia. It functions as Ransomware as a Service (RaaS) and employs double extortion tactics. Akira has connections to the disbanded Conti group, sharing code similarities and operator overlaps. The ransomware uses various techniques for initial access, including compromised credentials and vulnerability exploitation. It performs reconnaissance, lateral movement, and employs tools for credential dumping and defense evasion. Akira exfiltrates data before encryption and destroys system backups. The ransomware uses the ChaCha algorithm for file encryption and creates a log file of its execution. It accepts command-line arguments to define its behavior and uses Windows restart manager APIs to terminate processes.

OPENCTI LABELS :

ransomware,lateral movement,cve-2023-20269,raas,akira,conti,chacha encryption,cve-2019-6693,double extortion,credential dumping,defense evasion,cve-2021-21972,cve-2022-40684


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat Brief: Understanding Akira Ransomware