Full Report
Akira is a dominant ransomware threat targeting organizations primarily in North America, Europe, and Australia. It operates as a Ransomware-as-a-Service (RaaS) model with a centralized ransom control system.
Analysis Summary
# Threat Actor: Akira Ransomware Group
## Attribution & Identity
* **Identification:** Akira ransomware group.
* **Aliases/Associations:** Rapidly established itself after the suspected shutdown of the **Conti ransomware group** (circa May 2022). Evidence suggests a link to Conti, possibly through inherited resources or expertise, although this is not definitively confirmed.
* **Origin Clues:** Communications in Russian imply a connection to Russia, and ransomware includes safeguards against execution on Russian keyboard layouts. However, confirmed origin is not established.
## Activity Summary
* **Emergence:** March 2023.
* **Operation Model:** Ransomware-as-a-Service (RaaS).
* **Scale:** By January 1, 2024, impacted over 250 organizations, claiming approximately $42 million (USD) in proceeds.
* **Recent Activity:** Mentioned in a failed attack detailed by the Barracuda SOC. They operate a dark web leak site.
* **Negotiation Tactics:** Offers "services" post-attack, including decryption, data removal guarantees, and security reports, though the report component is often deemed worthless by analysts. If victims refuse to pay, data is posted to their news column.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting security gaps such as open VPN channels, unprotected devices, or purchased access via the dark web.
* **Privilege Escalation & Lateral Movement:**
* Utilizes **'pass-the-hash'** technique to access password-protected network systems.
* Employs legitimate tools like **Advanced IP Scanner** for network discovery and lateral movement.
* Performed **kerberoasting** followed by brute-forcing to obtain a domain admin password.
* **Defense Evasion:** Uses **PowerTool** to disable endpoint security and antivirus solutions.
* **Exfiltration:** Steals data prior to encryption.
* **Encryption:** Deploys ransomware payload (not explicitly named in the TTP section, but implied by the group name). If encryption fails, they threaten data publication.
## Targeting
* **Motivation:** Sole focus is financial gain.
* **Sectors:** Targets all sectors, with a reported preference for **manufacturing** and **critical infrastructure**.
* **Geography:** Primarily targets the **United States** and allied countries.
* **Victims:** Targets Small-to-Medium-sized Enterprises (SME), but high-profile victims include **Nissan** and **Stanford University**.
## Tools & Infrastructure
* **Malware Families Used:** Akira Ransomware.
* **Tools Used:** Advanced IP Scanner, PowerTool.
* **Infrastructure:** Operates a distinctive leak site with a retro green-screen terminal aesthetic accepting only five commands.
## Implications
Akira is a sophisticated and aggressive threat actor leveraging initial access purchased illicitly (dark web) and relying on common security posture weaknesses (MFA gaps, unprotected endpoints). Their link to the highly experienced Conti group suggests a high level of operational maturity, making them a significant and persistent threat. They offer seemingly comprehensive post-breach services, but analysts caution against paying for non-vulnerability-related reports.
## Mitigations
* Implement consistent use of **Multi-Factor Authentication (MFA)**.
* Secure or restrict access to **VPN channels** and minimize attack surface from unprotected devices.
* Ensure robust endpoint security solutions are in place and actively monitor for defense evasion techniques (e.g., use of PowerTool).
* Implement strong credential hygiene to prevent successful 'pass-the-hash' and kerberoasting attacks.
* Monitor for network scanning activity indicative of lateral movement (e.g., Advanced IP Scanner usage).