Akira Ransomware: Who is behind the hacker group?

Akira (or Akira Ransomware) is fast becoming one of the fastest growing ransomware families, utilizing a double extortion tactic, a Ransomware-as-a-Service (RaaS) distribution model and unique payment options.

According to a report that analyzed blockchain and source code data, the Akira group appears to be linked to the now-defunct Conti ransomware gang. Conti, one of the most notorious ransomware families in recent history, is believed to be the descendant of another prolific ransomware family, the highly targeted Ryuk ransomware.


As ransomware actors evolve their tactics, creating ever more sophisticated ransomware families, organizations must work to improve their cybersecurity to effectively defend against complex threats.


Akira ransomware emerged in March 2023 and is known to target businesses in the US and Canada. Their Tor Leak site has a unique retro look that, according to a Sophos report, is reminiscent of 1980s “green screen” consoles that can be controlled by entering certain commands. In terms of code, today’s malware is completely different from the Akira ransomware family, which was active in 2017, even though they both give encrypted files the same .akira extension. As mentioned above, the Akira operators are associated with Conti actors, which explains the similarities in the code, according to the Arctic Wolf Labs team. However, they also found that after the Conti source code was leaked, various malicious actors used it to create or tweak their own code, making it even more difficult to trace the ransomware families back to the Conti operators.

Our own analysis shows that the ransomware uses similar routines to Conti, such as string obfuscation and file encryption. It also avoids the same file extensions as Conti. The main motivation of the Akira operators is obviously of a financial nature.

The group uses double extortion tactics and steals victims’ important data before encrypting devices and files. Interestingly, those behind the attacks are reportedly offering victims the option of paying for either the decryption of files or the deletion of data. Ransom demands are usually between 200,000 dollars and more than four million.

Recent activities of Akira Ransomware

In June 2023, just three months after the discovery, Akira added Linux computers to the list of targeted systems. In August, incident responder Aura reported that Akira was targeting Cisco VPN accounts that did not have multi-factor authentication (MFA).

At the beginning of September, Cisco published a security advisory on attacks via the zero-day vulnerability CVE-2023-20269 in two VPN features of its products: Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Thread Defense (FTD) software.

Cisco reports that malicious actors exploiting CVE-2023-20269 can identify valid credentials that can be misused to establish unauthorized remote access VPN sessions, and can establish a clientless SSL VPN session for victims running Cisco ASA Software Release 9.16 or earlier.

Recently, Sentinel One published a video analyzing an Akira ransomware variant called Megazord that emerged in August. This variant appears to relate to a Power Rangers formation, as it encrypts files with the POWERRANGES file extension. In the ransom note, victims are instructed to contact the ransomware actor via TOX Messenger.

Targeted regions and sectors

Because Akira is new and highly targeted, there are not as many attacks as with other more established and widespread ransomware families. Our Trend Micro™ Smart Protection Network™ telemetry shows that France was the country most affected by Akira, accounting for 53.1 percent of all detections. Most Akira victims do not belong to specific industries.

Akira’s monthly detections show a significant increase in June 2023 with 508 attack attempts. The lowest detection rates were recorded in May, with only three attack attempts in the entire month.

Targeted regions and industries based on the Akira Leak Site

This is data from the Akira Leak Site, which reveals details of the companies targeted by Akira. This data, which is a consolidation of Trend Micro’s Open Source Intelligence (OSINT) research and the leak site investigation, shows that Akira actors compromised 107 companies between April 1 and August 31, 2023. Most of the Akira victims – 85.9 percent of them to be precise – were companies based in North America, followed by eight attacks in Europe.

We found that most of the victims were small companies with 1 to 200 employees (59 victims). Medium-sized and large companies follow in second and third place. Interestingly, according to the leak site’s data, the most targeted sectors are academia and professional services, closely followed by construction and materials.

Chain of infection and techniques

The ransomware usually gains access to the victim’s environment via valid login credentials. The actors may collect the information from their partners or through other attacks. They use third-party tools such as PCHunter, AdFind, PowerTool, Terminator, Advanced IP Scanner, Windows Remote Desktop Protocol (RDP), AnyDesk, Radmin, WinRAR and the tunneling tool from Cloudflare.

Initial access: Akira actors are known to use compromised VPN credentials for initial access. They have also been observed to attack vulnerable Cisco VPNs by exploiting CVE-2023-20269, a zero-day vulnerability affecting Cisco ASA and FTD.

Persistence: The actors create a new domain account on the compromised system.

Bypassing the protection: The hackers also use PowerTool or a KillAV tool that misuses the Zemana AntiMalware driver to detect AV-related processes.

Reconnaissance: The attackers also use tools such as PCHunter and SharpHound, AdFind along with Windows net commands as well as Advanced IP Scanner and MASSCAN to gather information about the system.

Access to credentials: The attackers use Mimikatz, LaZagne or a specific command line to collect credentials.

Lateral movements and command-and-control: Windows RDP serves the actors as a tool for lateral movements in the victim network. Stolen information is exfiltrated with the help of the third-party tool and web service RClone. They also use either FileZilla or WinSCP to spread stolen information via the File Transfer Protocol (FTP). Other tools in use can be: AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, RustDesk and Ngrok.

Impact: The ransomware encrypts the affected systems with a hybrid encryption algorithm that combines Chacha20 and RSA. In addition, like most modern ransomware binaries, the binary has a feature that allows it to prevent system recovery by deleting shadow copies from the affected system. A list of the folders that are not encrypted and a summary of the encryption details can be found in the original article. There you will also find a list of MITRE Tactics and Techniques as well as a tabular summary of the other malware, tools and exploits used.

(pd/ Trendmicro)

Weitere Artikel