Full Report
Akira is a relatively new ransomware threat actor that has been active since March 2023. Like other ransomware threat actors, they breach organizations and not only encrypt their files but also exfiltrate sensitive information to use in negotiations. As shown in the following 2024 statistics, the number of companies affected by Akira ransomware is still […]
Analysis Summary
# Incident Report: Akira Ransomware Campaign Summary
## Executive Summary
Akira is an active ransomware threat actor, operating since March 2023, employing a double-extortion strategy involving file encryption and data exfiltration. Initial access frequently exploits unpatched vulnerabilities in VPNs, Fortinet, Cisco, or SonicWall devices, or relies on compromised VPN accounts lacking MFA. The attackers perform extensive discovery, steal credentials using tools like Mimikatz, and escalate privileges via vulnerabilities in virtualization software (Veeam, VMware ESXi) before deploying ransomware and threatening data leaks.
## Incident Details
- Discovery Date: Ongoing (Active since March 2023)
- Incident Date: Ongoing Campaign
- Affected Organization: Multiple organizations (Continuous listing on TOR site)
- Sector: Not specified (General targeting)
- Geography: Global (Implied by ongoing threat analysis)
## Timeline of Events
### Initial Access
- Date/Time: Pre-Mediation (Ongoing since March 2023)
- Vector: Exploitation of various known vulnerabilities or compromised VPN accounts lacking MFA.
- Details: Attackers target vulnerabilities such as Fortinet CVE-2019-6693, CVE-2022-40684, CVE-2023-48788; Cisco CVE-2020-3259, CVE-2023-20269; and SonicWall CVE-2024-40766.
### Lateral Movement
- Vector/Techniques: Use of tools like PSExec and Impacket, generally preceded by extensive discovery and credential theft.
- Details: Attackers map the environment using Active Directory reconnaissance (Nltest, AdFind, BloodHound) to identify paths to domain controllers and high-value targets.
### Data Exfiltration/Impact
- Vector/Techniques: Data is exfiltrated before encryption. Impact involves file encryption (Data Encrypted for Impact - T1486) and ransom negotiation based on the threat of public data release.
- Details: Victims are listed on the actor's TOR site, threatening data release if demands are not met.
### Detection & Response
- Detection: Detection relies on EDR monitoring for suspicious behaviors like tool usage (Mimikatz, AdFind, Advanced IP Scanner) and direct detection of ransomware execution/file operations (e.g., EDR.Decoy.M2470, CredentialAccess/EDR.Mimikatz.M11444).
- Response: Response efforts focus on containing the threat, eradicating access (implied via EDR actions), and recovering systems post-encryption.
## Attack Methodology
| Tactic | Technique | Specific Tools/Methods Mentioned |
| :--- | :--- | :--- |
| **Initial Access** | Varies (Vulnerable Systems) | Exploitation of VPN gateways, Fortinet, Cisco, and SonicWall vulnerabilities. |
| **Persistence** | Create Account (T1136) | Creating new accounts (implied by EDR detection: Persistence/EDR.HideAccount.M11388). |
| **Privilege Escalation** | Vulnerability Exploitation | Exploiting Veeam CVE-2024-40711 and VMware ESXi CVE-2024-37085. |
| **Defense Evasion** | Hide Artifacts: Hidden Users (T1564.002) | Techniques to bypass security products. |
| **Discovery** | Network and AD Reconnaissance (T1018, T1046, T1482, T1615) | Advanced IP Scanner, NetScan, Nltest, AdFind, BloodHound. |
| **Credential Access** | OS Credential Dumping (T1003) | Mimikatz (LSASS memory dumping), exploitation of Comsvc.dll for memory dumps, LaZagne, dumping NTDS.dit via ntdsutil.exe. |
| **Lateral Movement** | Remote Services (T1021.002), Lateral Tool Transfer (T1570) | PSExec, Impacket. |
| **Collection** | Archive Collected Data (T1560.001) | Using archiving utilities (WinRAR, WinSCP, FileZilla, Rclone). |
| **Command and Control**| Remote Access Software (T1219), Proxy (T1090) | AnyDesk, RustDesk, Radmin, Ngrok, Proxy connections. |
| **Exfiltration** | Exfiltration Over Web Service (T1567.002) | Not explicitly detailed, but general exfiltration precedes the ransomware stage. |
| **Impact** | Data Encrypted for Impact (T1486) | Deployment of Akira ransomware strain. |
## Impact Assessment
- Financial: Not specified, but involves ransom demands and recovery costs.
- Data Breach: Sensitive information exfiltrated for double extortion.
- Operational: System encryption leads to significant business disruption.
- Reputational: Negative impact due to public listing of victims on the ransomware group's TOR site.
## Indicators of Compromise
*Defanged Indicators:*
- **Network Indicators:** Indicators related to C2 traffic associated with known remote access software (e.g., AnyDesk, Radmin), Ngrok usage, and proxy connections.
- **File Indicators:** Usage of specific archiving tools for collection (e.g., WinRAR, WinSCP, Rclone).
- **Behavioral Indicators:** Execution of credential dumping tools (Mimikatz), use of `ntdsutil.exe` to dump NTDS.dit, execution of network scanners (Advanced IP Scanner), and behavior matching EDR alerts like `EDR.Mimikatz.M11444` or `EDR.NTDSUtil.M12395`.
## Response Actions
- **Containment:** Based on EDR detections, containment would involve isolating endpoints exhibiting suspicious execution, credential access, or lateral movement activities.
- **Eradication:** Removing discovered persistence mechanisms (hidden accounts), deleting malicious files, and patching exploited vulnerabilities (VPNs, ESXi, Veeam).
- **Recovery:** Restoring encrypted systems from clean backups and resetting compromised credentials, especially domain administrator accounts.
## Lessons Learned
- Reliance on unpatched/outdated external-facing systems (especially VPNs) remains a primary entry point for sophisticated threat actors.
- MFA is a critical control required on all remote access methods to prevent initial compromise via stolen or brute-forced credentials.
- Privilege escalation techniques targeting virtualization infrastructure (VMware, Veeam) are consistently leveraged once initial access is achieved.
## Recommendations
1. **Mandate MFA:** Immediately enforce Multi-Factor Authentication across all VPN access points and critical remote access services.
2. **Patch Management:** Prioritize patching of external-facing services, specifically Fortinet, Cisco, SonicWall devices, and known exploited virtualization software (VMware ESXi and Veeam Backup & Replication).
3. **Monitor Credential Access:** Deploy and actively monitor EDR solutions for behaviors associated with credential dumping tools (Mimikatz) and native Windows memory dumping techniques utilizing `Comsvc.dll`.
4. **Active Directory Hardening:** Review and restrict the use of sensitive tools (like AdFind) within the environment and monitor for unusual execution of AD reconnaissance tools (BloodHound).