The brand new Akira ransomware operation has slowly been constructing an inventory of victims as they breach company networks worldwide, encrypt recordsdata, after which demand million-dollar ransoms.
Launched in March 2023, Akira claims to have already carried out assaults on sixteen corporations. These corporations are in numerous industries, together with schooling, finance, actual property, manufacturing, and consulting.
Whereas one other ransomware named Akira was launched in 2017, it’s not believed that these operations are associated.
The Akira encryptor
A pattern of the Akira ransomware was found by MalwareHunterTeam, who shared a pattern with BleepingComputer so we might analyze it.
When executed, Akira will delete Home windows Shadow Quantity Copies on the system by working the next PowerShell command:
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Take away-WmiObject"
The ransomware will then proceed to encrypt recordsdata that comprise the next file extensions:
.accdb, .accde, .accdc, .accdt, .accdr, .adb, .accft, .adf, .ade, .arc, .adp, .alf, .ora, .btr, .ask, .cat, .bdf, .ckp, .cdb, .cpd, .cma, .dad, .dacpac, .daschema, .dadiagrams, .db-shm, .db-wal, .dbf, .dbc, .dbt, .dbs, .dbx, .dbv, .dct, .dcb, .ddl, .dcx, .dlis, .dsk, .dqy, .dtsx, .dsn, .eco, .dxl, .edb, .ecx, .exb, .epim, .fdb, .fcd, .fmp, .fic, .fmpsl, .fmp12, .fol, .fpt, .gdb, .frm, .gwi, .grdb, .his, .hdb, .idb, .itdb, .ihx, .jet, .itw, .kdb, .jtx, .kexic, .kexi, .lgc, .kexis, .maf, .lwx, .mar, .maq, .mav, .mas, .mdf, .mdb, .mrg, .mpd, .mwb, .mud, .ndf, .myd, .nrmlib, .nnt, .nsf, .nyf, .nwdb, .oqy, .odb, .owc, .orx, .pdb, .pan, .pnz, .pdm, .qvd, .qry, .rctd, .rbf, .rodx, .rod, .rsd, .rpd, .sbf, .sas7bdat, .sdb, .scx, .sdf, .sdc, .spq, .sis, .sqlite, .sql, .sqlitedb, .sqlite3, .temx, .tps, .tmd, .trm, .trc, .udl, .udb, .usr, .vpd, .vis, .wdb, .vvv, .wrk, .wmdb, .xld, .xdb, .abcddb, .xmlff, .abx, .abs, .adn, .accdw, .icg, .hjt, .kdb, .icr, .maw, .lut, .mdt, .mdn, .vhd, .vdi, .pvm, .vmdk, .vmsn, .vmem, .nvram, .vmsd, .uncooked, .vmx, .subvol, .qcow2, .vsv, .bin, .vmrs, .avhd, .avdx, .vhdx, .iso, .vmcxWhereas encrypting, the encryptor will skip recordsdata discovered within the Recycle Bin, System Quantity Info, Boot, ProgramData, and Home windows folders. It is going to additionally keep away from encrypting the Home windows system recordsdata with .exe, .lnk, .dll, .msi, and .sys file extensions.
When encrypting recordsdata, the ransomware encrypts recordsdata and appends the .akira extension will likely be appended to the file’s title.
For instance, a file named 1.doc can be encrypted and renamed to 1.doc.akira, as proven within the encrypted folder under.
Supply: BleepingComputer
Akira additionally makes use of the Home windows Restart Supervisor API to shut processes or shut down Home windows providers which may be protecting a file open and stopping encryption.
Every laptop folder will comprise a ransom word named akira_readme.txt that features data on what occurred to a sufferer’s recordsdata and hyperlinks to the Akira knowledge leak web site and negotiation web site.
“As to your knowledge, if we fail to agree, we’ll attempt to promote private data/commerce secrets and techniques/databases/supply codes – typically talking, all the things that has a worth on the darkmarket – to a number of menace actors at ones. Then all of this will likely be revealed in our weblog,” threatens the Akira ransom word.
Supply: BleepingComputer
Every sufferer has a novel negotiation password that’s entered into the menace actor’s Tor web site. In contrast to many different ransomware operations, this negotiation web site simply features a chat system that the sufferer can use to barter with the ransomware gang.
Supply: BleepingComputer
Information leak web site used to extort victims
Like different ransomware operations, Akira will breach a company community and unfold laterally to different units. As soon as the menace actors achieve Home windows area admin credentials, they’ll deploy the ransomware all through the community.
Nonetheless, earlier than encrypting recordsdata, the menace actors will steal company knowledge for leverage of their extortion makes an attempt, warning victims that it will likely be publicly launched if a ransom is just not paid.
The Akira gang put loads of effort into their knowledge leak web site, giving it a retro look the place guests can navigate it by typing in instructions, as proven under.
Supply: BleepingComputer
On the time of this writing, Akira has leaked the info for 4 victims on their knowledge leak web site, with the dimensions of the leaked knowledge starting from 5.9 GB for one firm to 259 GB for one more.
From negotiations seen by BleepingComputer, the ransomware gang calls for ransoms starting from a $200,000 to tens of millions of {dollars}.
They’re additionally keen to decrease ransom calls for for corporations who don’t want a decryptor, and simply wish to forestall the leaking of stolen knowledge.
The ransomware is at present being analyzed for weaknesses, and BleepingComputer doesn’t advise victims to pay the ransom till its decided if a free decryptor can recuperate recordsdata without spending a dime.